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(ENUMERATION CONCEPTS) JlJn3H 4.1 



.^IaxjII f^U* V jl (j^Uluj 4(^*^11 ^IaxjII ^-Aaxj ^^31 
? What is Enumeration^^! ^ 

CjI^jUjIaI! ^jl ^Uijoal 6^^jjoia3! ^UjjujI (JiLo cjL* jlx-<JI ^l^pJLujI ^jUr> DjUiicU (Enumeration) ^—^j*^ ^jj 

(j^a CS"^ ^ JJ^aaij l1Lg!}IxJjujVI J^J ^J^J ^aUaill 4 j-nVl dlVU^l ^LuuL ^i^-all oIAxjII ^ .^Uaill <Jj3 (j>* CjLd^Jl j 

cr^'j (null session) ^ lU^ ^l^i^U 1$^ ^^Ui^VI ls^j Oj^j cs* IPCS 'Remote IPC share 

.accounts cjLLu^JIj shares cjUaLoiJI ^Ia*i> 

. (Network resources and shares)^VIj ^j!^ - 
. (Users and groups)^^>a^j u^ ^'^^^ 

.(routing table) Jj^ - 
(Auditing and service settings) cjU^JIj ^sti] cjbl^j 

(Machine names) ^ 
(Applications and banners) Cjllnkill 
(SNMP and DNS details) DNS j SNMP - 

TECHNIQUES FOR ENUMERATION^*^ 

<^ jj3I J ;4£jj^3I cjUjj^ j ^^klaix» ^UjojI Jid CjUUJI ^Ju ^l^JI jli ^ (Enumeration process)^^! aA*c 
4_iLuu ^Laali (Jj^I^aII a JjjoJ! c jll .(SNMP) <iajjau3l a£jJo3I ojbl J j£ jjjjj cjLo jIx-gj & (routing table) 



.(Extract user names using email IDs) ^jj^V ^J^' cjtij*^ ^Ij&SmiI^ (^j&SmuII f Uui ^Ijll^l -1 

(jl jjc cJ^^ .u^ j-^ ^ ^>^^^ j ^^"i^l ^1 jA ^.1 j '.qiaj^ ^jii^j (email ID) ^ jj^I ^^-^ cJ^ t^lc lS^^ 
^jjj^IVI ^jjJI 11a ^ ^abc@gmail.com ^ . username(£)domainname ja ^jj^IVI ^jJ! 

.O^j^l ^1 ("@" >J! ^ ^311 ^jj^l!) "gmaiLcom'j ^1 jA ("@" >J! ci^ "abc" 

(Extract information using the default passwords) <^t>£Vt j^JI cjUIS ^IjII^L cjUj^aJI ^Ijll^l -2 

, jla^l all <Jj3 (j-d 4 > <al ^11 djUUJl jIAsu a! > nj (j^A^ll (j^ 4<Ljia djljiiil A > <al ^ll 

Brute force Active Directory -3 

a -\f\\ j& .^^klouJI JLk^l (j-<i (jiaall cjS j ^ ^vim^l ^jujV ^(.Axiill 3 j c > >i <JaiJ ^Jajc Microsoft Active Directory 
^ (authentication services) ^jV jU^ 'logon hours' s ^ lil .J^ksll ^ U^JI ^^31 
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A ^Ja >■ <a\\ ^Ld^JjaixJl ^UujjI ^IAxj A-AaO L_axjJa3l LtflJ ^jlxluiJj SjjaII ^jj^kU ^jj^^l g a\\ q\ A alia a Uak (JjLoij 1 g lc 

CjLaK ^jc c kjuj^Il Brute force ^ * ; ^ > >Ji/a ^ti t >Ji ^j^iklauJI ^.UujjI ^jc c Lu&ll ^ ~o ^ J) ^ 

(Extract user names using SNMP) SNMP ^t^l^W ^ v^n^l i * UJ\ ^Ijll^l -4 

_C_J jilaxJl ^a^JjalxJl ^jull ^Ij^lLull ^aJJ (JA CS"^J SNMP API ^I^JLuAj 'string' UJ*^* ^ J(3 >nj (jAA^l g M (j^J 

(Extract user groups from Windows) Jj^j^t <> l^jII^aJI AJI ^iJI ^jjaJ) ^tjll^t -5 

Extract information using DNS Zone Transfer -6 

Alkio Jii ( . ilia J^ujj] ^ij Ui^ic. .l^-Alaj ,^31 (zone) ^ y» ^1 AlkixJI ^jc 4^j13I cjL» jlx-<JI ^ t DNS zone transfer 
.DNS l& CjU jlxJI ^Jc ^ j^j ^ill DNS Cj^L^ JiL f jL ^UJI jti <DNS ^ (Zone transfer DNS) DNS 
.(Zone transfer DNS) DNS Alkia J£j ^hVimU c ^ulkUl Ajal jc. jjjla (jc diL* jls^ C5 lc J ^1^*13 cl£^ 



SERVICES AND PORTS TO ENUMERATE UjI^ ^ toidlj cjU^I 



TCP 53: DNS ZONE TRANSFER 

TCP 53 ^ 1^1 .53 UDP <> 53TCP ^ c> (DNS Zone transfer) DNS Jii > 

cjUsL ^l^Ulo DNS S^clS ^ iiU^JI ^ ^Iulj TCP J j^jjj .lU^I ^ DNS ^ilala ^jL^ jl c ^ 3 u ^Ui jli 
CjUIL jjj JL^iVI l>^^ .AiSai<J! TCP J j^jjj IajI^ DNS ^1 .DNS ^ j± ox JI^jVI 11a .DNS 

^iij CjUUJI ^jLoijI jL^jjal DNS i-rt a'^\a\ jllj j^a^ll ^ J£ I - gaj) ^cLaijj (Zone data) AikiJI djUUj Jii ^ ^cLoij DNS 

TCP ACK c3^> (> 

TCP 135: Microsoft RPC Endpoint Mapper 

135 iii^l s j^a cJjjoa 4i3j3 .cJjL- jll lT^UI^V ^UJI / c> l£ cjllnki ^ ^^1^ The RPC port 135 

Igili ;^^kjU jL^ajVI Alo .<jIa^JI jl^ ^ jlu^ 

TCP 137: NetBIOS Name Service (NBNS) 

& j^V ^Uj-jVi <^ jajj ; Windows Internet Name Service (WINS) U^j! ^ jjxJI ^NBNS 
jl ^ j o^ii^J! pUuiV NetBIOS fc&lS ^ ^jl^ NETBIOS ^^-V! ^1 > . NetBIOS ^1 jj 

s^lx. ^UjuoVI .cjU^UIojVIj NetBIOS ^ IP ols^ c^^" NBNS ^iik j .jjqj^^ll ^Lu^V <Lli^3l IP 

TCP 139: NetBIOS Session Service (SMB over NetBIOS) 

t> CjLuoI^JI ^Uj .NetBIOS ^ ^^n^ t jjj;n*£3! Sj^l o^j CjI^JI ^ ^ ^" .. n NetBIOS session service 

lJjjoj ^ill jj j^ill 139 ifliJI TCP JL-a2l j^j J j^j (sessions) ^UijU ^ jL ^ill jj j^^ll jl^ .^jaJI 
^ "Session Request" ^ Jl^iVI j^c JLujjU a ualaJI ^ISI ^ilt jj jli 4 JL^iVl ^1 ^5 lij 3 uJaJl 
^ill j^VI j^Ji .4 1,1k It ^Uj ^> ^ill NetBIOS S.nklt ^U^l ^il! cj^I] NetBIOS 
'(Negative Session Response) j» W^^) o^M ^LJI jl ^^oaj (.(Positive Session Response) •} ^ ( jj^" n1 J 
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TCP 445: SMB over TCP (Direct Host) 

fe&Loj .NetBIOS c> s^UJI TCP/IP MS s J^W* £ A*^ "^"j 445 J& TCP JL-aSl ^l^i^U 

.Windows2K/XP JS* jj^j i> cjI jI^-aVI J ^ Jc J jj^JI Jaia 

LjJ cil^j .Server Message Block (SMB) Jj£jhjjJ1 <> ^ J lA^ Windows2K/XP J ^liLJI Ji+i/4£jU* 
j NetBIOS c> ^ t> f hiU ujP Windows2K/XP J TCP/IP J-^l SMB 

UDP 161: Simple Network Management protocol (SNMP) 

Jjt> . u3ll Jj^al jj3 (routers j-^'j ^J-^ u'j^ ^ J ^) ^Lf^ll j &j$^Vl < klikJ SNMP Jj^jj jjj ^ ^ ^ 
l^IUSiJ ^jj asynchronous trapsj -UDP 161 l^ikiuu SNMP jll Cjllnki ^ cjUjkJI s jblj 

.162 iisJI c> 

TCP/UDP 389: Lightweight Directory Access Protocol (LDAP) 

'MS Active Directory ^ v^ .. n j tdij jjjYI Jj^jj jjj {Lightweight Directory Access Protocol) LDAP ^l^aa^l A\<s «j 
f j5j NetMeetingj Microsoft Exchange i> l£ <> JL^jVI cjU jl*^ jo c^J] jj^YI <H Jt ^ 

\& j-aUJ! iaiJI Jc LDAP ^jSjj 

TCP/UDP 3368: Global Catalog Service 

sJLuafiU sL^ll J j£ jjjjJI Jc TCP / IP J jll jjjjJI ^ ^^ajuij ^illj <TCP 3368 ik*ll cS&aj 
JLuj j! Jaia U^jc Jl^ajVI (j^isu ^ U^jc .end-to-end communications JL^I 3^lSy <^iL^aJI Js!^ l_j jLJ yiHa! <jla 
L_iiijii3! (jjoii J 3368 Jc- ^ 1 ^ u * 1 ^ J TCP .J^^VI j^c- ^^L^ii! I^JLujjI ^jj jl t^^jjauJ! CjIjUj 

JJC. Jj^aJ djUaixLxij I gjlc ^LucYI <-<i^ j3 jJ tgil .<i Jl^aJ^U UDP 3368 -^i<Jl a I iklujl aJ 

Ullc. ^ill 3JiaV( . (Transport Layer protocol)J^i Jj^jjjjJ ^Jl ja (User Datagram Protocol) UDP 
.real-time multiplayer games j < streaming media '(VoIP voice over IP (VoIP)) UDP ^^1^5 U 

TCP 25: Simple Mail Transfer Protocol (SMTP) 

(j^su ^ ^>ikiuLj s^aull cALjaJI t5 l& 25 c^j Telnet ^USII .25 ^Sj *^i^t t(TCP) J^-jV^ 

.^hlll jjlJ ^JjJl ^iLoiJ ^ij c flj£ ^cJjJa jj3 ^jjSjII ^l^klaal aj llA jSl j ^ixJl ^UaJl SMTP J4&>\ ^ <jW^' 



NETBIOS ENUMERATION 4.2 



^ Jj£l ^Ij-NuJ <J jU^i ^Mr> C_L^J dll^ J jVl jlS-Jl NetBIOS (j^ tAi^lolJl A<iU*\\ (JA CjU jlx-ftll JI^XJ J jUJ 

.NetBIOS Xiaa 4^!axj3I J^Lk ^> 1^1 j^l^l jSaj CjU jkJIj NetBIOS ^ < <>^j 
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NETBIOS ENUMERATION 

Network Basic Input Output System J jL^I ^NetBIOS . NetBIOS APIo* SiiWtfl jA Jj^j JU^ J jVl S jJ^JI 
jjc^ JL^ajVI c^axJ TCPMP -Jl Jj^jj jjj L ^ J ^ L ^ ■ Sytek^ uj^W IBM ^ c> ^ ls^'j 6 

'"Application Programming Interface" -1 j» j "API"-!! ajI "NetBIOS" jo^ ^ jil ^Sharing " 

4-LaiLai ^jc ojUc NetBIOS .Sharing^ ^ c5» l5^**^ ^^-^ l^^A 3 ^1 ^jl ^13 J jj^a jll Jjg > »iM t^lli j 

16 cJij^lj jt^Jl lija. 15 ^^1^ ^ s TCP/IP 4^d> **Jxh^ e^ 1 ^ W^jh t> ASCII 16 ^ 

. (Name record type) ^ J a^^M 



Jj^ii NetBIOS ^ o ^ M ^ t 

,a£jjoJI ^^ic <jjou3U (Shares) ^j£jLobQ j (jj^ jJI d^ii ^ <^iJl jjj^^ ^3$-^' 

. (Policies and passwords)>-^ cjUKj cjUUJI 

-uli j^Lj 139 iiuli ^ OS jj^j ^W-^ 1^1 
tCjU^ill ^l^ki^U . file and printer sharing Aj*^' ^ 'NetBIOS 'u^ j fUajll ^ 

.NetBIOS ^ g?^ ^ c> ^W^i i> o^jh cP^j 

(j^yLLj jl t (Share) a^jU^31 jal jj C5 ic L-aiijjj 11a j t^ixJI jl j^SII ^Uaj C5 ic 4jlj£Jt/6*tj£Jt jtlkj ^jl ^.1^11 

.(denial of services) c> u^j^^ 
jA\ ^ I jc. C5 la k tdli j tAjjoLoiVl ajI^jII ^uiJI ^ NetBIOS ( j u*^^ ' ^j^V^ CjUi^k j ^ ^jAxJI 

V ^1 UdLuj jh^ijI aJ| ja. J ^2000 Jj^J 'NT Jj^J ^ ^ 6AJa.Wl Jlj^VI djljUlkl ^ JiA JjSI .dujJjVI 

.^IAxjII L_lilLujl ^ ^ jill li^J ^-jJa jc JljJ 

.IPv6?fr^V NetBIOS:^^ 

NetBIOS Name List 





NetBIOS 
Code 


Type 


Information Obtained 


<host name> 


<00> 


UNIQUE 


Hostname 


<domain> 


<00> 


GROUP 


Domain name 


<host n a m e > 


<03> 


UNIQUE 


Messenger service running for that 
computer 


<username> 


<03> 


UNIQUE 


Messenger service running for that 
individual logged-in user 


<host name> 


<20> 


UNIQUE 


Server service running 


<dornain> 


<1D> 


GROUP 


Master browser name for the subnet 


<dornain> 


<1B> 


UNIQUE 


Domain master browser name, 
identifies the PDC for that domain 





:Ajm cjUjjJ) Js> NetBIOS 



137 netbios name 

138 netbios datagram 

139 netbios session 
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NULL SESSIONS 



cj^U ^UuJ3 s jjJI dIa ^.jj . jj ^ jl^a. qi} (unauthenticated) aSjL-o* NetBIOS lU^ <^ > Null Session 
d j^l ^ .(without authentication) <> l$ j^VI Microsoft ^ i> lk*' j*^*VI ^1 jS J 

diLujUjaj Jla t (without authentication) ^5*^ > ^ * j^* el) -0 <J c — ^ j^*-*^ ^ > ^» ^—^h^ c^-^* <J j> 4_L^a!j£13 Uiajl 
: t> cilli 



u ^ C:\WIMIjOWS\sysLei i i3Z\i_i i ideise 

C^>net ulew NMS2.168 .0.11 
Systen error 5 lias occurred. 

Access is denied. 



C:\>net use >N192 -168 - B. ll\ipc$ Su.: 
The conrnand conpleted successfully. 



C=\>nct view S\1?2.1G0 .0.11 
Shared resources at NM92 .168 .B.ll 



ihnre none Type U-s-cd. as Cd nnc n t 



gat a Disk 

Hanagement Disk 

Private Diclf 

Public Disk 

The command conpleted successfully. 



Jal. 



pLuijj q\ ,(jj^j> <jjau3U 4 vs \ >y\\ jj jjj^l Lijl^jlJi^l/LijLaALauJI Aj^I c 4 £ dj a^I^aK ^jli tUj^j Null session *Ij&J 

J^jjjjjj ]\ u n Session Jj^ <> :u .^.^Ijjal J£al> 2003 j o^j jj^j ^ Null Session 

:JM\ Sjbj .NetBIOS 

http://en.wikipedia.org/wiki/NetBIOS 

http://www.securityfriday.com/Topics/winxp2.html 

http://www.securityfriday.com/Topics/restrictanonymous.html 

SCANNING FOR THE NETBIOS SERVICE 



jjlbjl! ^ dilaU! J^Uj) NetBIOS jj ^ cill^LuuJ ja j25 ^1 £i\ j^Vl <.> ^AxJI ^ jj 

.nbtstatj smbseryerscan j nbtscan (Windows File Sharing 

nbtstat - 

J ji^ *UJ J (NetBT) TCP/IP j^NetBIOS Jj^^jj^l ^UL^j ^jxj fJ £j jj^j *bl ^ Nbtstat 

. cjS>1I ^Jp^I s >»i (—1 j * (NetBIOS name tables) ^ <> J j J*^\ J t> JS1 NetBIOS 
Ji ojV^! pUiVI j NetBIOS oo^ SjSlil ^ Nbtstat .(NetBIOS name cache) NetBIOS 

^ jj jVl cj^UI^ ^! nbtstat j*Vl ^l^i^V! ^.(Windows Internet Name Service) WINS 

<j AilxlJ! s^LolJ! jxj ^command prompt 

nbtstat.exe J^iU 



nbtstat.exe©-a©<NetBIOS Name of remote machineMP of remote machine> 



. (NetBIOS name tables)^! Jj^&l NetBIOS Jj^l H c> 
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O^jU^j ^NetBIOS 'NetBIOS olp^ 1 u^j* 1 "nbstat.exe -c" nbtstat J^-^ ^ 

. (resolved IP)W^ ^ ^ ] IP 



C:\Wi ndo ws\sy ste m 3 2\cmd .exe 



z NUsersNftdnin )nbtstat .exe -c 
theme t S 

ode IpAddtess: {192.168.168,170] Scope Id= t J 

NetBIOS Remote Cache Nane Table 



<20> UNIQUE 

<20> unique: 



Host Address 



Life [seel 



192 .168- 168-178 
192.168.168.1 



nbtscan - 

o^a .NetBIOS cJ^^j r» ^ vw ^ jail a£jJo3I C5 1c o j^VI Sj^a , Jj» *rrtl J laL 4j^alk obi Nbtscan 

^jjojJI iALqW q\ jjc j jig-ail ^AaJLoLAl! ^joil j A_iauJall jlg_aJl q\ jic ^uU jl dlLa obVl tilllaju j IP (J I ^jjjUcr (jro^ql Ja*1joiJ <jl (j^-QJ obVl 
.Jjljlkl ^ lAa. 4 a CjLq IxJJa o^A j o-^-J LL^a-o 13] Aj^uJall j^-^ ^5-^ NetBIOS £^J^> (J O^ 3 ^-' ^ 1 (j^-^J 



/-v. w x root@bt: — « 
File Edit View Terminal Help 

rctot^bt : ~# nbtscan -r 192,168.11-0/24 

Doing NBT name scan -for addresses -from 192. 168. 11.0/24- 



IP address 



NetBIOS Name 



MAC address 



192 . 


168 . 


11 


26 


XP- LAB- 326 




<serve r>- 


192. 


168 . 


11 


5 4 


XP- LAB 954 




<seryep^ 


192 . 


168 . 


11 


57 


XP-LAB- 357 




< s e <~ve r > 


192. 


168 . 


11 


84 


XP- LAB - 984 




<serve r^ 


192 . 


168 . 


11 


S4 


XP-LAB- 394 




<serue r>- 


192. 


168 . 


11 


198 


CLIENT19S 






192 . 


168 . 


11 


127 


C LIE NT 127 




<serve r>- 


192. 


168 . 


11 


156 


CLIENT156 




<serve 


192 . 


168 . 


11 


331 


ALICE 




<s e rue r>- 


192. 


168 . 


11 


205 


IS-0RACLE2 




<:serve 


192 . 


168 . 


11 


236 


<unkno¥n> 






192. 


168 . 


11 


1211 


TftlXBOXl 




<server> 


192 . 


168 . 


11 


2 15 




r 


<server> 


192. 


168 . 


11 


220 


MASTER 




192 . 


168 . 


11 


2 21 


SLAVE 




<se rue 


192. 


168 . 


11 


222 


MAILMAN 




<serve 


192 . 


168 . 


11 


223 








192. 


168 . 


11 


224 


UBUNTU0 5 




<serve 


192 . 


168 . 


11 


227 


5RV2 




<serue r^ 



<unk.nowi 
<Lrknowr> 
-c rin Known 
<urk.no 
<LrKno 
<urk.nown> 
<Lrknown> 

<Lrk.nowr> 
0RACLE2 
<Lnknowr> 
TRIX&0X1 
RED H AT 

<un known 

MAILMAN 

<Lrknowr> 

UBUNTU05 

5RV2 




71= 



as 


-ec- 


29- 


-44- 


ds- 


c3 


00 


-59- 


56- 


bc- 


2e- 


ab 


00 




29- 


a a - 


d7- 


5d 


00 


-59- 


56- 


bc- 


2e- 


dc 


00 


-50- 


56- 


bc- 


36- 


8 1 


00 


-59- 


56- 


bc- 


52- 


00 


00 


-59- 


56- 


bc- 


0f- 


4a 


00 


-59- 


56- 


bc- 


12- 


21 


00 


-50- 


56- 


bc- 


10- 


de 


00 


-59- 


56- 


tc 


le- 


f 7 


98 


-53- 


56- 


bc- 


28- 


eb 


00 


-00- 


00- 


00- 


00- 


00 


00 


-ea- 


00- 


69- 


OO - 


00 


00 


-50- 


56- 


bc- 


40- 


ce 


00 


-50- 


56- 


b c - 


16- 


63 


00 


-00- 


00- 


00- 


00- 


00 


00 


-50- 


56- 


bc- 


4f - 


16 


00 


-00- 


00- 


00- 


00- 


00 


00 


-50- 


56- 


bc- 


20- 


67 
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^1311 >&» Cy ji Ajaui]! Jl^a. ^fe NetBIOS Jj-^ L-yi 



#nbtscan©-hv©192.168.16.70-80 



:-# nbtscan -hv 192.168.16.70 
Doing NBT name scan for addresses from 


-80 

192 . 168 . 16 .70-80 




NetBIOS Name Table for Host 192.168.16 


.71 : 




Incomplete packet, 155 bytes long. 
Name Service Type 






JANA-TEBA Workstation Service 
JANA-TEBA File Server Service 
WORKGROUP Domain Name 






Adapter address: GO : le : ec : af : f b : 65 






j ana : ~# | 







NetBIOS Enumeration Tool: Superscan 

http ://www.mcaffe.com 

iiiib .( \u^A \ ^jjj <Pinger < TCP ^iS JL^j^IS (Port scanner) iaUJI o^f? ^ j*> Superscan 

Ai^l ji* cjli&i j(multithreading) ^ ip Jlkj j ping Swap 

: Superscan J*4* u**-* csk 
(Support for unlimited IP ranges) Sjj^ jjp ipcjliUaU ^pj 
(Host detection using multiple ICMP methods) ICMP ^t^a^b t. iun«\ \ & <JJ&lt 
(TCP SYN , UDP, and source port scanning) UDP j TCP SYN j j^l) o^i 

(Hostname resolving) < 
(IP and port scan order randomization) IP lxj^&j ^IIaU <_p)>i*il oaailt 
(Extensive Windows host enumeration capability) jj^j 2 * uL^aJ ^ SjjSJ) 

Extensive banner grabbing 
(Source port scanning) ja^aJ) o^aai 
(Simple HTML report generation) HTML jtJ& f Uiit 

jfrkft SuperScan 4.0 <ija jfcll l^j^ ^ SjaSL* <Li^j ^ rnffiti Wizard ^ cte^ ^ u ( ^ -1 



SuperScan ^l-.G 

Scan | Host and Service Discoveri) ] Seen Options | Tools ] Windows Enumeration | About | 



Hostnarne/IP | 
Start IP X | |~ 
End IP X| f 



Read IPs from file 



Start IP 



I End IP~ 



Clear Selected | 
Clear All | 



^1 - I ■■ I 



View HTML Results 
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Windows Enumeration c> <> uj^ ^ ^ yr^J cfjUl cjIj^Vi -^j^ J( jtala _2 

JaxJl ^jujI £jJa jJ ^ jij tg-li^k c _^j3I j t4_JU3! 4_JjLi3l Jj^-la ^1 LS-^jH J 

*1$jjVI axj ^ ^ill ^IaxjII jj lg_L« jllkj j^VI ^ ><JI i-ajtfll <> .Hostname/IP/URL J ^Lli-all 

.Enumerate ^ > ^ 



SuperScan 4.0 



Scan | Host and Service Discovery 1 Scan Options ] Tools Windows Enumeration j About | 



Hostname/IP/URL |l 8 



Enumerate 



□.ptions. . 



Enumeration Type 



NetBIOS Name Table 
H^l NULL Session 

I- y-l MAC Addresses 
I 1 *- 1 ! Workstation type 
F^l Users 

I I - * 1 ! Groups 

El F! PC Endpoint Dump 
I 1 *- 1 ! Account Policies 

Shares 
I 1 --" I Domains 
I 1 *- 1 ! Remote Time of Day 

I - --I Logon Sessions 

I I - * 1 ! Drives 

1^1 Trusted Domains 
I 1 *- 1 ! Services 
V Registry 



a dy 



jj J*c. ^ jVI ls^I j raw sockets ^1 j' ^ windows xp services pack 2 <Jj*J21I ^Uij ajI^j : <Uajal4 
net stop Shared Access 4*-^ c> i^UjiJ <-tiUajll m( jj±S\ <1^JI o^ai ^Ijjj SuperScan 

.SuperScan Jj^jj (command prompt) j*tjVl 

^jj C5 l^. ^LJS jialil .<LLuJ! ^ u£*VI ( ; uLaJI ^uIaslSI ^cjU j^Jajj ^IaxjII ^lAasu Enumerate 1 u ^ ^ -3 

icPVIS Enumeration Complete cAsj t> 




I 'Service Discovmy | E 

3 flJHi. (tocos 



CI* 



f^H NH6--BIOS ENwine Table 
NULL S PTsion 

Si RFC EEn^o*rH £j urrt(? 
I^Accaum PohciK 

13 Remole Time ol Cajr 1 
I"***! Logor S«;sions 
1^1 Drrvcn 

L^^l Tussled Dcmairvs 



3 t-L=. Era = c=n 



an 1 D . D . O _ 



n b an 3L O O 



:iv«i a-n LO O, 



Z" -==t-.= - - =«:=r--- 



OBi Z Z- Z- . C . 



=* * on LDrD.O.B 



l -A. X- i o n. rai r i p l 



EI] 



.Enumerate ( ; ^ Clear tjj^ Vjl ( ; l *°j - u ^^j^. ^Iasu ajI^j ^^ii -4 
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NetBIOS Enumeration Tool: HYENA 



http ://www.systemtools.com : j^-a-JI 

'2000 jj-^j 6 NT jj-^j jj-^j lS^-'-*^ ^Uaj ^jiA^lj djI^V ~ laJLujj jjuj^)3I ~ laiLu^l Cjli ^tlLd Hyena 
Sjtajj lIjUIaslSI ^-ia^J jjjLjuo^I ~ iklujj .2003/2008 j^j^ jj^j c — '7 jj^j tllmj^ jj^jjj (Jj^I jjALj 

t^jj^vim^l (jj^- ^o-^j^ jiiLJI CjliLJI ^(session) c-LoA^l! t<clik3l j CjIsuLLII tdAiLJI '(event)^— 

a£jjoi j 4 JLLojj dia jjoj jjfLL* CjLd^. tdjjljVl a£jjoi ^^ic J^*-^ a£jjui13 jjujj lS^^ lP 3 ^*^ (Domain controller) 

I AiiS ^jiLajli (jc 6jasla3I jiilU jii iilli Asu ^aJ it^n/nll j (j^aLkl! wizard ^W-^ (J^^A 3 ijjJ^ 1 ^ CIujjj] -l 

;aJU3I <jujUja3l j £^<A^^)^ 



File 



Hyena v9.0 



Edit View Tools Help 



w ffi s & I x * a" I 



© a I 1% A 1 



a fir I m 



+ ■ 



+ ■ 



l-^. JANA-TEBA (Local Workstation) 
©■■4^ Drives 

Local Connections 
Users 
l-^P Local Groups 
©■■S Printers 
■f3 Shares 
1^ Sessions 
■G? Open Files 
Services 
Devices 
T Events 
Disk Space 
■|§ User Rights 
Performance 
Scheduled Jobs 
^ Reentry 
WMI 
•t^* Enterprise 



a a 



Hyena v9.0 



http ://www. sy sternto o I s. c o rn 



LLLuj U£ li^A j Events ij^ ^ 1 ^ : cjIa^VI jl Service ^» 1 ^ : ^Uaill L5 lc J-^u ^1 CjUAkll j- — * ^jl^ -2 
jjALij Jji^ill ^Ikb ^UJI Computer management ^ ci^^^ ^ ci^^^ ^ ^ ls^- 



NetBIOS Enumeration Tool: WinFingerprint 



http ://www.winfingerp rint.com 



^c-ajujj (J^j (administrative network resource scanner) ^j^ l ^ji o ^'*\ ^j^^ ^ WinFingerprint 

djLd jlst-ft 'NetBIOS ^—J&J^a lUA^ ^ J . c *>J>^>^ J Jj^UMl c qVi^^ ^L^jlj AA* a\\ jL^ajVl A^f^i C5 ic 6 j^VI (j^i^ql 

^^Sclij cJ^JIj jl (passive scan) ^a^ill jUl^VI .tilli ^ j^j ^^1 0.^^*^"^^ tcjl^ikl! c^j^ajUl 

^aaill l!^*-^ .tilli J^^J HTTP/FTP gaJ tA^jjaJl ^aljS! CjI^^^J ^Jaj^k tA^jjoJl Lljl^Luixi/Llll^jljabd ( aju&LudJ 
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Input Options 
r IP Range C ip u«t 
H Single Host r Neighborhood 
IP Address: 

| 10.0.0.3 



Winfingerprint 0.6.2 

Scan Options 

0 Domain f Active Directory C WMI API 
(5 Win32 OS Version 15 Users P Patch Level 
r Null IPC$ Sessions T Services [5 MAC Address 
I* NetSIOS Shares F Disks [* Sessions 
[7 Date and Time T Groups T Event Log 
(7 PmgHost(s) 
r Traceroute Host 



RPC 



Show 



Bindings Errors 



Option: 







r TCP Port scan Range: 




|1024 


Timeout for tcp/UDP/ICMP/snmp: 


Is 


f~ UDP Portscan Range: 


h 


| 1024 



[3 



Max Connections: | 1024 



r SINMP Community String: 



Pinging 10.0.0.3 with 44 bytes of data: 

h/ from 10.0.0.3 0 ms (id- l. sea- I] 
IP Address: 10.0.0.3 WINDOWS8 
Computemame: WORKGROUP\WINDOWS8 



00l55da86e06 
Scan completed m 0.27 seconds 




r ip List 

r Smgle Most P Neighborhood 

Starting IP Address: 

| 192 . 168 . 166 . 1 

Ending IP Address: 

| 192 . 168 . 168 . 4 



~ Active Directory V WMI API 

(v Win32 OS version iv Users v Patch Level 

P Null IPCS Sessions lv» Services W MAC Address 

F? NetBIOS Shares 17 Disks fv Sessions 



Date and Time 
r Ping Host(s) 
Traceroute Host 



W Groups 



f? Event Log 
r- Show 
Errors 



General Options 



I Broadcom Netunk (tm) Gigabit Ethernet 
Timeout tor TCP/UOP/1CMP/SNMP: 



I - TCP Portscan Range: 
r UDP Portscan Range: 
f" SNMP Community String: 





| 1024 




| 1024 



192 168 168.1 



IP Address: 192.168.168.1 
Computername: flHHBH^^I 

Tracing route to 192.168.168.1 
1 O ms 0 ms 0 ms 

MAC Addresses: 

RPC Bindings: 

ncacn_ip_tcp UUID Address 192.168.168.1 EndPoint 49158 
nc»cn_ip_tcp UUID Address 192.168.168.1 EndPoint 492 19 
ncacn_.p_tcp UUID Address 192.168.168.1 EndPoint 49219 
nc»cn_ip_tcp UUID Address 192.168.168.1 EndPoint 49219 
ncecn_ip_tcp UUID Address 192.168.168.1 EndPoint 49219 
ncacn_ip_tcp UUID Address 192.168.168.1 EndPoint 49190 
ncacn_ip_tcp UUID Address 192.168.166.1 EndPoint 49181 



NetBIOS Enumeration Tool: NetBIOS Enumerator 



http ://nbtenum.sourceforge.net : j^-aJI 



SMB 

jA\ I^jj NetBIOS Enumerater.exe Jc- 5; j*lt ji^W 4 ^ .^f" 4_iLc £^ ^ c^ 3 ^ ^ -1 

;aJU3I 4_uiLuJI j 
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El 

fkjIP range to scan 
from: | (Biol -+ 



to:| @6T 



NetBIOS Enumerator 

Scan Clear 



Your local ip: 
[7 [1...Z54] 



Settings 



Debug window 



^jjj ^ill IP ojjUc^ jUaj JU^L ^ jl> IP range to scan J^kil! <> <*jU1I ^ -2 

.to J <yjLJ! <jUJI ^ JlLull Ajlgij from J ^ Jlkdl 

^ JLA scan c3j* (jUa^l! JL^I a*j -3 



f hj range to scan 



frorn:| 10.0.0.1 
to:| U0.0.0.50 



NetBIOS Enumerator 

1 



Scan Clear 



Your local ip: 
E? [1...254] 



Debug window 



^eady :-) 



l_a jjoj ^ill j scan tij^ ^ s^ja*JI ip <jjjU*]t jlkj JU^I ^3 clear <jja V j> c> j^-l o-^^i -5 

(<>uil«*M enumeration user account 

PSEXEC 

ijajj (> (Symantec's PC Anywhere) <>- <=^^ e^jo telnet o^- ^ ^ y>> PsExec 
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Jc lS^-**^ 2^^^ cIiijjj J! <^.LaJI ^jj^ tft^jxJI a AiajV) Jc ^£^j3I ^c-J jjj cjLLgc iiiij PsExec ^ -W^j 

.l^J] J jj^a jll J L_JC jj jll S^lxJl 4 alajV) 

JljlLj ;Asu (jc (JaslSI Jj jiulxi jjc ^1 ^jJalj <J£juj J (jlaJjijll (3^J PsEXGC 'O^*^ f < ; d > ^ ^1 laJL ul ,JJC 

. jU-ajVI I^A Jl ^LqJjujVIj ^ala lij (j^akjui ^1 JjLiLg J CjUUJI aifc ^Jj gaJ (jl (j£-<uJl ^ 

PSFILE 

http://technet.microsoft.com/en-us/ 

L»j A-a. jjL<JI CjULJI (jlsu till ^jaij Uiajlj tAsu <jc <^ja ^Uaill Jc diULJI laS Jit j^ljVl j^-' sbl PsFile 

.s^ixJI 2ulajVl c> ^ uj^ J^ 1 ^U^l Jc CjULJ! j jjJ PsFile j^VI ^ «^ j** J 

m J-aVI A-L^. pUJ CjLq jlx^Jl (jlajsu ^ajflJ "-" Ic jfLa j-o^l 

PSGETSID 

http://technet.microsoft.com/en-us/ 

djUl uiaJ) j t^jj-a j^3l CjULoi^. iA -\ aAa\\ djULud^JI Jc iS^xj .^jjAslSU ^jjo^jlSI j t^pajaJI ^jujI Jj SIDs ^-^j^ ^ PsGetsid 
ciiia j a£jJo3I jjc (Jasuj A_SiLdj c^iJI ^jujVI Jj SID ^-j-^j uJ^ CjULai^. SIDs U' ^ ^-^>.>ij .Ajla &1I 

<> SIDs c> ^^Ul^V! 

PSKILL 

http://technet.microsoft.com/en-us/ 
Jj jrtbu V .J^li jj j±i*£l\ Jc ciiUUxJ! ^l^jjj s^ixJI 2ukjVl J^ cjULxJI ^/J^i J J 31 (kill) obi ^ PsKill 

/o^ixJl 4_i1a*JI ^Ig-jV PsKill ^ laJLujV c V^ll jj* jjj^ll Jc ^ia* 3 ^ ^^J^ CIjjjjj 

PSINFO 

http://technet.microsoft.com/en-us/ :j^^l 

t^nmll £ jj t^lli J Uj tdAjatJl jt Ajk <JI NT/2000 Jj^J J ^LuaVl jll jxl jVl J^ Sbi Pslnfo 

PSLIST 

http://technet.microsoft.com/en-us/ : j^-^ll 

jl Dj^lill (jc CjUi jlst-dj j^jxJI A^Jlat aSI cjUIac. (J j^. l_jU» jlst-<» (J^jsl! ^jjjjjjab<J1 1 ^ ^ iklujj jll j>»ljVI j^*j sbi PsList 
g.| jj| t*U j^Sij cpmon j pstat < (Resource kit)^ jl J j^Vl .(threads statistics) ^jUU*]! CjUL^I 

PSLOGGEDON 

http://technet.microsoft.com/en-us/ :j^^l 

^j-Q ^j^j J A ^ A-Iloj j Aa. jj* V tiilli £a j 6 "net" J-°^^ ^ (j^aLkJl J^>JI jj jjj^ti Jc Jjl j-<J1 ^^uin ^ill (j-<i <lj 
Jc (Jj^i > >nlU ^IS (j-d AijsLxJ CjI j^VI (j-a ^ J^ *^ NT jj-^J Jj Ailj^aVU .Asu ^jc jl^-aJl J jj jJJ^ Ajl ^Aa^LuoJ 
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La] <J (J j 7- > I ^jj* .^1 <J£ ^jia^su c^ill jj» > ^ ^c^L^j ^ PsLoggedOn * ^] 6 JJJ^ 

jj jjj^^l ^ lLl^jj PsLoggedOn < jjj^ l>* ^v^n^l ^1 ^-^ij duS lij .axj <jc jl t C5 i^<JI jii jn^ll ^^Jc 

.registry ^ HKEY_USERS ^tSLJI ^ jjjU* ^-a^i JjjL ^ Jj^l ^ t> PsLoggedOn 



PSLOGLIST 



http://technetmicrosoft.com/en-us/ : j^-a-JI 



jjjoiii jjSjj 4 C5 i^JI jjjjn^l (jlc (System Event Log) ^UaJt cjI^I cjLjI^ J*^} j& PsLogList <^>\ J-^ ^jl^l 

f^lc* (logs) (J> I— rtiLa jiajC cilj£ &J j j-al jVl ^ajuj djjjLlk j& ci^^ (J^J*^ <J Jj^iJ <L^)laJ ^-l^kVl 

.(string-search) ^j^-V^ (3^^ uj-^ U' ' lSt* lP 3 ^*^ c * l-jLo^. ^a^Luj! t^qVi^ a\\ jii jn<^ 



PSPASSWD 

http://technetmicrosoft.com/en-us/ : j^-^ll 
jjjj^SII s jqsA a<^A PsPasswd J^-^ jSAjII *L&] c> Jj>^3l ^ PsPasswd 

PSSHUTDOWN 

http://technet.microsoft.com/en-us/ 
^j^J! (Jj^ 1 oj ^ ^ jj;^^ cP^k ^ ^ajujj ^^jII j-aljVl j^joj stal PsShutdown 



ENUMERATE SYSTEMS USING DEFAULT PASSWORDS 



http://www.defaultpassword.com : j^-a^ll 
JJa Uiajl a^jj^JI a ia^a dbaJ /'4_jjJaljjaVl j^Jl CjIaK" ^ La sjIc- 6 router j 'hub 'switch l!^ ^j^Vl 

-ujIS jajj http://www.defaultpassword.com ^ *2i&t\ c^llnkillj cjUiiJI 



^^^^^^^^^^J 1^ Big bertha says: default passwords 


1 






defaultpassword.com 








© C |B- Google 


P D- * it * - 


K\ 


















default password list 














■ 




Browse by character: ABCDEFGHIJKLMNOPQRSTUVWXYZ 0-9 














Displaying 1812 passwords of total 1812 entrys. 


















Manufactor 


Product 




Revision 


Protocol 


User 


Password 








3COM 








Telnet 


adm 


(none) 








3COM 








Telnet 


security 


security 








3COM 








Telnet 


read 


synnet 








3COM 








Telnet 


write 


synnet 








3COM 








Telnet 


admin 


synnet 








3COM 








Telnet 


manager 


manager 








3COM 








Telnet 


monitor 


monitor 








3com 


3Com SuperStack 3 Switch 3300XM 




Multi 


security 


security 








3COM 


AirConnect Access Point 




01.50-01 


Multi 


n a 


(none) 








3COM 


boson router simulator 




3.66 


HTTP 


admin 


admin 








3com 


cellplex 




7000 


Telnet 


admin 


admin 








3COM 


CellPlex 




7000 


Telnet 


tech 


tech 








3COM 


CellPlex 






HTTP 


admin 


synnet 
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Def □ ult Username/ P wd 

■ ■ ■ II ■ ■ ■ 4*1*1 1 ■ 4 »« » 1 4 1 * P fr ■ * I » I 

Ek; jdrnin/synnet 



Enterprise 
Network 




ENUMERATING USERNAME/PASSWORD POLICIES 



(JiLo ^5-!^ (Jjt.uuII ^Uaj L^aji CjIj^I ^I^jjojI tnull sessions ^-^■^ jj^J L>* f <*-^-a J^*-* 

i^Uua^U SjAoJI CjU jIslJI ^ <1jU ^Llaatj ^1 j -L5 ^ g-i <^H<JI rpclient j' '(uj^W ^-^j^ cs-^) samrdump 



it o ot @ Izj t * - # <a.m.ic- cl-u.nnj=> . p>y 1 92 . 168 . 2 . 102 

Retrieving endpoint list from 192.168.2. 1 O ; 
TrvJ-ii^ protocol 4 4 5/' S MB . . . 
Found domai it. ( s > ; 

5 7 DAGBE C ~7 C A 4 4 3 3 

Bui It in 

Looking- xa.jp usejrs in dorna. i n 9- "7 D J\CBE<3"7 C 4 8 3 
Found user : Admi ni st r at or ^ uid = 500 
Found. user : Gu est , uid = 501 



SNMP ENUMERATIOM 4.3 



SNMP (Simple Network Management Protocol) Enumeration 

Lite j % jbj Jj£jjjjj SNMP .^1 j <jUaj ^ -u$i 

c jaaall ^ dliil jjfl jlL jj6 ^OID ji <MIB tree 'SNMP ^ ^l^lj - ^ 

http://en.wikipedia.org/wiki/Simple Network Management Protocol 

?A3ljlAyflj ^Uj <>u SNMP Jl U 

^j>»jJa djUUJI Jaj ^Li-^j CjU»!^)1Ij ^c]lx-<JI J-ftc l^ja Lajj <£jjoJI ^^ic d^-^.V1 l!-^ S^liSl djUUj 
<jU^]| j s jb5U > Simple Network Management Protocol (SNMP) Ja^JI s jb] Jj^jjjjj 
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Simple Gateway Management Protocol J SGMP 1987 ^ ajdj^ ^ d£yjji c> jj^ dAAjj* 
CMIP secure Common Management Information j*> jSNMP ci^ cJj^ <j| ^-la^JI ^ djfrjijjt 
JaxII JiS j j ciASlkj ^ Jaxj <j j£ <^LuJI ^ ^ Ji\ AlJUi CajjI SNMP uj^ ' f ^ j^Vl Protocol 
UNIX j Windows l$L» & ^ (SNMP agent) SNMP j .(Network component) CjU j£* g- 1 jji 

Jl Jj£ JJJJJ SauUtt ^ SNMPt j^^kloJJ jjill CJ^JI JJ ^ ftj^Vlj ^^klolxJl CjULud^J ^Iaxj 4_iLc y> SNMP 
Lai ^tll AjuLkll t^jilijjjaJl ; jjjjII <Jla jlfraJl j&j jajJjuJl jl Agent c^^J <-)jVl ^Juaill ( jAAjud3 ^1 ^joili SNMP 

. Agent-^ c> j* j ji NMS (Network Management Station) H^' 



?SNMP -St J^u ua^ 

. 162 & 161 ^jjJl c>jJ^ jbU UDP/IP -SI f^^j Application Layer ^VjSjSjjj .aJ j>a SNMP 

s^&lS ^ SNMP J>jjjjj ^ l£ .(IP Spoofing) IP ^I^Jl j#i ^-MLj stateless djfryjjt 
cjU jix^l ^ £>i* cMjJI D^ta ^ jlaJ .(Management Information Base * jt^Vt s^ta) MIB c^ 15 <r^£ 

(GET, GET-NEXT, GET-RESPONSE, SET, and TRAP) 
Get-Response m ji^Jl lU * jj^j ja j Agent -SI Get message jL? ^ J^' ^ u' ^ 



Gat response 




Get message 



2620XM 
Agent Server 




PC -PT 

N etwo rkSet Management Station 

Get-Next Ul .(Agent)J^ j^^ ^W^j^ c> U^j cJ jJI ^ ^I^VI cjljjiil* ^ ^ j^jll j j^llal! 



® 



Get response 




Get-next message 




2620XM 
Agent Server 



PC -PT 
Management Station 



NetworkSet 

J^ 5 ) c?^ ^ pij ^ ^cr^ 1 Agent -Jt c> c> lUjj Set -St j 



Set message 




2620XM 
Agent Server 



NetworkSet 



PC -PT 



Management Station 
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Agent -St c> lUjS Trap Jt ^> j U .CjI o^xA ^ SNMP management station c> cjLUJI L^l ji 
Lg) j\ jll Jj^ jl Jjxj^jII o^lcj jl (Link Down/Up) lU*^ l^* ^-Uj^ L - ^ l_£I^<JI Jl^aJI c-j JU> 



c> (SNMP Agent) SNMP J£j J) J^jll I^I^lU <4£*| ^1 JJ>a ]l cjLJS <> j^l J* SNMP 

.SNMP Community String 6^ siA J (SNMP Management Station>J^n 
(Community String) f> (Agent) j^j^ 1 ^ (GET) ejUUl J^Jj (Management station) J^»*!l f jSj 

^ c ^Jj ^1 JLoj jl ^jj (jl (3^1 jjj ^3 lij U (Agent) ci^ cl>* ^j^ JLuj jl ^jj jjj-^ l3*'j^ ^ 

SNMPv3 U .SNMPv2j SNMPvl ^Ijl^yi (Community String) jjj-JI £A*1£ <> ^ ^ : a^j^ 

.(Authentication)^^*^ aA*c ^ jjJI j ^\ ^^kia£ia 

:l**SNMP U c^gVj 
(Lis Sf IjSU jjjaJI cjUIS) Read community string 
^■tLo c5 '(public) uj^ 6 ^ jjj^t . djLaK ^ ^ jill 11a <lajuil jj ^s^jj (devices) Sjg^VI ^\^c>\ 

(J^tSiHj Sf IjSU jjj^JI cjU1£) Read/Write community string 

4j^aLk (jj^J £>i& JJ^JI CllLaK . Jj^Ji CllLaK ^ ^ jill li^ <iajaj| jj A ^hiVl jl (devices) ^bcl 4iLja] jl JJ*J cil&a 

.^aaJl ^lla (private) 

r Ua ^ ajJ SNMP ^ J] .(Community String) £A*1£1 yr^ 1 >VI ^Vl <4 Jh 

ciljjj U» Ullc. j a£jJo3I Jc ojL^ui jjc. <Ljiaj £>^a JL^ajVI ^f^a -(r) public f^lj (rw)private o^^S) !(_3^ j^l 

■a^ig^l ^j^oj tcilli Asu .cilli ^ lLi\jju Jc Jj^l j t^ajill oi^ ^lliC-U ^jaa^I^aU ^iii ^jlt j .^UJl j <j^alaJl 64_JjJal jj^VI l^jVLa. ^ 
CjLd jIslaII ^jVimV SN1VIP ^l^*^J I U^^-W^l .^aUaill jl jl^-aJ) U^J^ O^J^ J' JJJ^^ 6 ^ AjjJaljjflVI J^Jl C- i1 ^Aa^LujJ ^jt 
jlill (Jjl^. ^ARP (Jjl^ L — J L« jlst-<Jl 4^Jjujj tlA^)JC.j ;Cj1^jUj1xJ|j 6 ^J^Ij ^sjj 0 .^ 1 JiLd <£jjuol! ^j! ^ (J 

. jj^>JI a£ j^. cjUL-oaJj tSj^ft Jl^aJI djUjlx-A ^(routing table) 
.IP Network Browser &j SNMPUtil A SNMP A** J >Ae cAjfi\ J^u 



■ 



Community String; 
Coifiplnfo 
fr: 10 10 2.1 




Host X (SNMP Manager) 



Saftwd re version — 
hard drive space *- 



Sen ds request for active session 
(Co mm unity String: Cornplnfo. IP: 10.10.2. IB) 



Active Session Information [No. of sessions: 2. 
Co mm: Cornplnfo, IP: 10.10.2.15) 




Communilv Strin 
IP: 10.10.2.12 




Comrnunity String 



Community String. Ala 
IP: 10,. 




Host Y(SNMPAf,ent| 



If th* community string does nol 
match with the string stored in the 
MIB datdbdv^' r l>osl V will send a 
community string to a pre -con figured 
SNMP manage-r indicating the error 



Host Z (SiMMP Manager) 
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MANAGEMENT INFORMATION BASE (MIB) 

CjU jkJ ^Ull JA^I jajj . (hierarchically organized information)f^^( cjUjkJ ^ o jLc ^ MIB 
. (object identifiers)^-^! MIB j—Lfc c_b>i]| ^ .oO^'j (SNMP Agent) SNMP 

jj^jJI jjISII ^jja ^jja jaw .MIB tree t> yr^s y^ J ^ j* (Object ID) u5j«-a 

.MIB" J^ 1 lU^3! ^ 

JjM! cmZj ^Ij jjI£ ^ ^1 (Scalar object) ^UslSlI (MIB-managed object) MIB SjU) ^>iaa 
<(c0wwto*)^^ £ jj <j^' dAi j*-* Jxuiij .<i^all cjli dj^ljld j-* ^ ^1 (Tabular object) 

6 (size restrictions) ^j^l 4<jIj£JI / I Jill jl S^IjSII JL* (access level) Jj^j^ ^JL^ ^{address)C^y^ j> i(string)*^** 
JjIS o^jc OID ^ J Jjj^I (SNMP manager) SNMP cia ^> s MIB .JU^I 

^jjL jo jl Lseries.mibj IP u'j^ d^j e&j^ H lP 3 ^l^kl^U l^-Ja j&j Jj^ajll MIB dLji^ 

jt http://IP.Address/Lseries.mib<d^ lW^ ^ .Lseries.mibj DNS ^ J^j 

. http ://libr aryname/Lseries.mib 
l^la A^uuijil . jj^Ljlt ^jij* <g>j^4 SNMP 4-**^ <«-* l^jSs ^2 ^gl MIBs Microsoft 

DHCP.M1B: Monitors network traffic between DHCP servers and remote hosts 

.Asu (jc c LijJa^H j DHCP J^J^ U£ JJ^>^ ^ a J^ (*J^ 

HOSTM1B.M1B: Monitors and manages host resources 
LNMIB2.MIB: Contains object types for workstation and server services 
- WINS. MIB: For Windows Internet Name Service 

.WINS ^ u ^ i> 

SNMP ENUMERATION TOOL: OPUTILS 

om : j^-a^ll 

XT ^jl L ^ j u ^ g ^ *j cs-^j a< \ u *^ ^5 ' » ^ ^ cJ^ f ^^'^"^ CjIj^VI a^. j ^ ^jc 6jUc OpUtils 
.l^J^U ^> MIB ^ ^J'j^ <^SaS ^311 j j^^^o SNMP ^l^V Igi .IP ojjU^ Sjl^jj « JL-aSV! 




t na ^ j- * > 



l~l i*j win a 
I - ! i*j -*e i-3 3 



rr _ii tmf h 



-i —I r I- 



■ 7 I E m, 
- 1 : mi 



□ 1*1 !*•- 511 ? 
f~1 1M U» 



L S mi 



—a c ,- e 



n lkj.uw-iii.ii 

LI m«knnj 



^■lUlll • hlHUI 
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SNMP ENUMERATION TOOL: SolarWind' s IP Network Browser 




http ://www.solarwinds.com : j^-a^ll 

SNMPj ICMP c> t^H pj* ^ ^U^V ci^ki ^SolarWind's IP Network Browser 

a£jjoJI S^)^' lP 3 ^*^ pj^ ^ 6Ajc^)i31 a£jjoJI ji jp ^jjjUc (j-G (jUaj jl ^1 j XP (j^^j <JL^jVI a£jjui Jc j\ VA^ a 

.l^L^L (subnet) 4^ a£jJo!3 ^aaill <A*c .isu t v^l a£jJo3I J j^. CjLg jLlxJI t al ^jjL^l^JI 
c _^j3I djUi jlx-<Jl J>iJjjj .aIluj <Ljiaj o^l^cl ^ jjiLj ^Uaj ^ CjLd jixxJI ^xl^. ^1 g ^ti clA^ 'IP Network Browser p^vi^lj 

^jij cJj^Solar Winds IP Network Browser 6 (Cisco router)j^^ ^j^l Jl^ J& < Jliall 

'(interface) <^ljll <j^j ^ J cjUjIxJU Oj4l^' ^ IP Network Browser < .ARP Jj^j 

^ yr^ J^^j < yr^ ^jI^^JIj 'bandwidth ^l^i^lj 
^iilajH b^uol\ (jjs jiJl <J^-^ ^ b* ujj tciiiiil]! A-iLoxj ^aLkJI wizard L^^ 3 CP" QJ- (>< U.*^. ^ ~1 

;4JU3! ^Uill jj^i ^1 workspace studio c^j 



Q SolarWinds Workspace Studio 

File Tabs View Devices Interfaces Gadgets External Tools Help 

9 Add New Device... Manage SNMP Credentials %■ Manage Telnet'SSH Credentials ^Settings... ^ P a 9 e Setup... '^NewTab ' n Save Selected Tabs 
Switch Port Mapper ^, Telnet'SSH Jt Interface Chart f TraceRoute 
^ X 



Compare Engineer s Toolset... 0 Update Available... 



A Devices 




: , C-':.: 'r---- - 


r~l Devices 




r~l Recently Used 






Q Show grojp names 


Explorer 


^ x 


p »- Gadgets 



Getting Started" X |^ 



- Monitoring 

+ r~l CPU and Memory 
■ J) Interface Chart 
9 Interface Gauge 

• [§j Interface Table 

• *J Response Time Chart 
^ ResponseTime Gauge 
§8 Response Time Table 

-.r~l Tools 

Address Manaoment 




r+i 



O Getting Started 

SETTING UP V^/ORKSPACE STUDIO DOESNT HAVE TO BE SCARY 
Step 1 - Register the network devices you would like to monitor. Add Device 

Step 2 - Drag gadgets from the explorer at left to this workspace and associate them with a device. 

Step 3 - Add tabs to create groups of gadgets or organize them any way you want. New Tab J * bL 



More Help 

OTHER RESOURCES TO GET YOU STARTED 

Memory Gauges 

MEMORY STATISTICS FOR ONE OR TWO HOSTS 
MACHINE NAME 



Device 



MACHINE NAME 



Clear Settings Start 



Event Viewer TFTP Service 



| gl | Delay: 2 ^[seconds | 



£ Classic tools lsj^ Ja^j External Tools cjIj^VI ^ -2 

. IP Network Browser ^ Network Discovery 
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51 IP Network Browser - n 




File Edit Help 


to 

New R.e start 


U A ^ % 

Export Print Copy Copy 


• * 

Stop Zoom 


«)) B ♦ a e 

Ping Telnet Trace Config Surf 


Settings 


? 

Help 



Scan a Single Device 
Hostname oi | — 



3 



Scan Device 



ir muuicss i ■ 








Scan a Subnet 








Subnet Address 






Scan Subnet 




Subnet Mask [255.255.255.0 
















Scan an IP Address Range 














Begining IP Address \ 




□3 


nan Scan Address 




Ending IP Address 




0 


SI Range 





Engineer's Toolset v10 - Evaluation 



Mrs 



J, 



Scan device J^> Hostname or IP Address <Jjli*JI ^ jW^W o- 3 ^ IP u' tM4^ -4 

■5NMP ENUMERATION TOOLS 

: jajll Jz. SNMP ^IjJ jSl c> JJS ^ ^ ^ <SolarWind's IP Network Browserj OpUtils J\ 4it^VU 
Getif available at http ://www.wtcs.org 

OiDViEW SNMP MIB Browser available at http ://www.oidview.com 

iReasoning MIB Browser available at http://tll.ireasoning.com 

SNScan available at http://www.mcafee.com 

SNMP Scanner available at http ://www.secure-b ytes.com 

SoftPerfect Network Scanner available at http ://www.softperfect.com 

SNMP Informant available at http ://www.snmp-informant.com 

Net- SNMP available at http ://net-snmp.sourceforge.net 

Nsauditor Network Security Auditor available at http ://www.nsauditor.com 

Spiceworks available at http ://www.spiceworks.com 



SNMP ENUMERATION TOOLS WITH KALI 



snmpwalk SbSft -1 
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OVI .i-kstil <jl£ <> ^Ujk* jc f iUi ul iU SNMP GETNEXT f^-y SNMP j*Snmpwalk 



root@bt:~#snmpwalk©-c©public©-vl©<ip address>©l 



root@bt:~#snmpwalk©-c©public©-vl©192.168.9.203©l©|©grep©hrSWRunName©|©cut -d" " -f4 



root@bt:~#snmpwalk©-c©public©-vl©192.168.9.203©l©|©grep©tcpConnState©|©cut -d" " -f4 



root@bt:~#snmpwalk©-c©public©-vl©192.168.9.203©l©|©grep©hrSWInstalledName 



Snmpcheck -2 

.snmpcheck SNMP cjVjSjjjjj jjc CjU jl*^ ^ J J t ^U ^ j*J ft bl 



#snmpcheck©-t©192.168.10.200 



Braa -3 

l^jlS ks I^jI ^ t^lj diSj ^ ^jjiijJaxJI lJVI jl CjUJ pUiuiVl Sj^lS l&i .SNMP cjL^UU sbl braa 
ciL^ uj^ i> ^4* t^j .SNMP ^jj-a l^jt L£ <. SNMP <"V ;< - c> V .L»Uj j 4_iLc^ 

ASN.l Ji^ eft V cic lAiJj tdli j <U ^ 4inJI snmptranslate ^ ^ SNMP ^ <> >^ 

.Liac ^ SNMP OIDs 'braa ^ 



#braa©10.253.101.1-10.253.101.50:.1.3.6.1.2.1.1.6.0 



cisco-auditing-tool -4 

64_Ljal jiiaVI j^Ji 1 - ^ (j^aaij _4.TjL.rtll L_kxjja3l Jalij ^IajV > >n > » < ** ^ * a ^ ij c^ill cJj^ -Cisco Auditing Tool 



#CAT©[options] 



OPTIONS 

-h hostname (for scanning single hosts) 
-f hostfile (for scanning multiple hosts) 
-p port # (default port is 23) 

-w wordlist (wordlist for community name guessing) 
-a passlist (wordlist for password guessing) 
-i [ioshist] (Check for 10 S History bug) 
-1 logfile (file to log to, default screen) 
-q quiet mode (no screen output) 

:jm Jti* 



#CAT©-h©192.168.1.100©-w©wordlist©-a©passwords©-i 



onesixtyone -5 

cjLIL lUjjj (connectionless protocol) JL^jI JjSjjjjj ^ SNMP c) t> Onesixtyone 
onesixtyone Lx^ljjal .Nmap ping sweeps jj^jII o-^^^ £ .u^ ^ SNMP 

6JA ^vim^l jSaj . (switched network)^£f^ cjVj^j c> MBslOO ^ j 6 e J 10 ^ 

,4^jaJt jljia jl -LaLLoj! ^jjj Lui 6 Jjjj£3l 



#onesixtyone© [options] ©<host>©<community> 
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Options 

-c <communityfile> file with community names to try 

-i <inputfile> file with target hosts 

-o <outputfile> output log 

-d debug mode, use twice for more information 

-w <n> wait n milliseconds (1/1000 of a second) between sending packets (default 10) 
-q quiet mode do not print log to stdout* use with -1 

:^Vt£ Jti* 



#onesixtyone©192.168.1.1 



UNIX/LINUX ENUMERATION 4.4 



.rpcclientj <rpcinfo (RPC) 'finger <showmount ^ yr* 




o Enumerates the user and the host 

« Enables you to view the user's home di rectory, login time, idle limes, 
office location, and the last time they both received or read mail 
[root$] finger — 1 ^ targe t , hackme . com 



Helps to enumerate Remote Procedure Call protocol 

RPC protocol allows applications to communicate over the 

network 

[root] epeinfo — p 1 9x . 1 6se , 5cxx . atx 





Using rpc client we can enumerate user names on Linux and 
OS X 

[root £ ] rpcclient $> netshareenum 



Finds the shared directories on the machine 
[root $J shoumount — e 19x. 16x . xhx . xx 




A 



sh ow mount 




FINGER 

dlSj C^I^^JjouJIj (J^al^JlHomG ^ lia a jiajC (ja Ij^ajl ^ jlfr-aJI ^^Ic ^Ld^JjaixJl ^IAxj] finger ,>*VI ^I^JjojI ^JJ 

.^jjJ! £?l ja jl ^ Sj^ j^lj ^ 4 (idle time) J J < (login time) J 

#finger [-b] [-f] [-h] [-i] [-1] [-m] [-p] [-q] [-s] [-w] [username] 

:rOptionsl^tj^t 

<c j j !n a 4^ udj ^^Jc (Jj^j (^ill j j-aVI 2^ ^^^LolaII JJJI j (home directory) ^vi^N ^a^J^ a\\ <c.Uia ^iaj ; [-b] 

. J-aVI ^l^A 3 ^ J. * <J£Jj *^lc l^jcLla ^aJJ <^5^J (head) <cLla I [-f] 

.<Lj]a <c jfla^ a^jluj uj-^ j ^>*^ 5^ {.project} c aLili <c.U]a ^iaj i [-h] 

^1 Ja2a <^UL ^ <d VI (short output) j^^l J^JI j < [idle] finger jjU o : [-i] 

[idle]<J ^-^jj 6 J j^^ll i ^ djSj & Jlix»jii3l t(J Jj? » ^ 
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.(long output format) Jjj^I jj*^ ^ finger j*V! gfo :[-i] 

.(Matches arguments only on the user's name) ^ v^m^ t <xJ ^ ^ dj^UUJI ^Ikj :[-m] 

.^Ljla <C Jflax 4 ^ uij <j£Jj ^^ic (jj^J (^ilt J J-aVt ^ {.plan} c *\*W <cUia £-iaJ I [~p] 

A^li ^tL <j| VI (short output) JS^I ' (quick output) <yj^ ^ ^ jj<§-^ 6 : [-q] 

. (short output) jj^iii ajja <Jg jj^JI ^ o j±h : [-s] 
^^kiaiJI 4^ta ^ Jjj^J! tSlsLoj <ii 4root$finger©-l©@target.hackme.com] j*Vl i££ ^ tit lW^ ^ 

Rpcinfo (RPC) 

d jj^j liA j . [Remote Procedure Call protocol]^*JI *l j^VI ^ Rpcinfo (RPC) 

rpcinfo [-m | -s ] [ host ] 
rpcinfo -p [ host ] 

rpcinfo -T transport host prognum [ versnum ] 
rpcinfo -1 [ -T transport ] host prognum versnum 
rpcinfo [ -n portnum ] -u host prognum [ versnum ] 
rpcinfo [ -n portnum ] -t host prognum [ versnum ] 
rpcinfo -a serv_address -T transport prognum [ versnum ] 
rpcinfo -b [ -T transport ] prognum versnum 
rpcinfo -d [ -T transport ] prognum versnum 

: (Options) CAJ^IS 

J£l CjIpLuaaJ J j^JI Qinj .jj*^ < <i > ^ rpcbind ^->U1**J cIAj^S [Static table] cjUL^VI J j± :[-m] 
djUiyi ^ jjj ^Uaj cjU^JIj plj^j cjIjJI ^ kauj t (4 j 3 j 2 djtjt^-aVI) rpcbind j^^ 3 ] 

^ liAj JxiUjll ^t RPC o\j^ ^1*^ Jj^> cjUjIx^Ij tUjI j^j ^3 ^1 [remote call request] ^ i> Sjc^t 

.L_LLjaJI RPC 

-C5 i^<Jl L_flJjJa>Jl Q^ajfiLi 4L_flJjJa>J! tlpaJl ^aJJ ^aJ tit / AJjJa^St ^^ic 4_lajab<Jt RPC ^-iA^J »j> "»*^ * 4_AjUj (jla^au I [~S] 

RPC g-aljj ^ t> lP 3 ^ ^ 'rpcbind Jj^jj^ t> 2 jt^Vt ^t^ki^U < <i > ^ t ^ rpcbind <^ c> :[-p] 

^jojU HjLuj i*J*^)xj rpcbind J J^J^ (j -0 2 J^'^^V^ Ja^V ^St L_flJjJaxJt ^jlajliij ^ ^IjJaAlt -ij^J ^JJ tit .4 la i tmlt 

.portmapper Jj^jjjjj 

tiA .jj ^t ^ tit U jjjii Cjr k*j J ^TCP ULLj^t ^ prognum J 0 RPC Call J^=s :[-t] 

AjIIjI) aL-vll ^ U£[-X] ^t^kloat He 4JLaAt ^jj j^xjlt 

s^jJt transport Jl 5^ ^VU^Vt ^jj ^ .^^Ji < qj > ^ t ^ versnumj prognum ^ c^VU^yt :[-l] 

.^ixJt rpcbind ^VU^ajt (J^xIujj c _^j3t j <juaij Jj^jii j^Jt aIjIc ^ 
tit t jjUi^t jjilt aiin^ t c> j^j^ 5 cA*^ ^ ;^^Jt versnum j prognum J 0 ^ RPC broadcast J*^ :[-b] 
'transport broadcast ^ ^ transport ^ cUj^broadcast 0^ 'transport ^ 

<xJajVt C5 ic ^^JjuJt j^Wt JLu^t t . ujuoj ^ j^a-ft (Jj^j (jt ^5*^ (— b jjj^^t) broadcast ^t ^imt .Uaa. 3JLojj <c.Uia ^lia 
^U^Jt jli ^transport '^1 versnum j prognum J RPC ^»^Jt cj^Ua^ilt cJi^j :[-d] 

jl^j V jl^Jt tiA .Ifcjk, Jj^uault ^ ^t transport 5^ ^^J' ^jj 'transport ^ uj^ 
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.jj ^1 jft lil U jjjii ^^Saxjj <UDP ls'^ Ullj^I ^ prognum J 0 *l j*SU RPC Call J*^ :[-u] 
J 0 *t japing cU^transport Jl ^ (universal) u*>^ serv_address pi*^ :[-a serv_address] 

L_ii^jjj ^^xilj^JI (j-<i ^AxJI I^J 4_^ii<JI CjIjI^j^VI pin§ J-^h * ^^rpcinfo 'versnum ^•^^ ^ ^ l^j 

.cA*^transport gr*^ a' j^' cjk^" c^Serv_address ^ .^^1 u' c> rpcbind *jc j 

.portmap c> ^ ^ill -uj -t ^ <d ^ Portnum lU*^ f^^j :[-n Portnum] 

.[■a]^>l>^l Aic ^jj j^tJIII 11a .^Loikll (jl jjc Ai^x-<J ^isu ^ portmap *^ ( . — n. ^baJLuAj 
^ ju^JI Transport^ rpcinfo cM ^ ^ ^ .^jl^ c^Transport Jl :[-T] 
^ jj^jJl transport f^^j NULL ^ jl ^ ^ lil jl <NETPATH (environment variable) yA^I 

La£ lsj^-I djI^Li^J^ *Lahviml (j^jj 'c^^* j^^l ^ .(netconfig database) ^yMI ^l-^c-l ^—^-^ ^^clS 

.L^_Lq 4_JjilaxJl rpC CjLg J^*^ t aj t U^l I [JJoSt] 

< <j > ^ l c> rpc cjUjI** Jc Jja^J! c^jSaj <ii 6[root$rpcinfo©-pl9x.l6x.xxx.xx] j*Vl ijaii ^ lil <Jli*ll C5 1& 
RPCCLIENT 

(> sbl jiixjj .MS-RPC L^-M j -OS X j <l>^ q^^" 1 ^ e^ 1 ^ Rpcclient 

.SAMBA ^U^IjJ 

#rpcclient [-A authfile] [-c <command string>] [-d debuglevel] [-h] [-1 logdir] [-N] [-s <smb config 
file>] [-U username [%password]] [-W workgroup] [-1 destinationIP] {server} 

: (Options) cAJ^JS 

(O^ 3 ^ j^kA\ j*\ jVl ijajj ^ Jaxj :[. c <command string>] 
."a.b.c.d" j^JI ^ ^ (J .J^^ piLll > ip jljk, destinationIP] 
iala ^ajl cr jJaljjaVI .^SLII cjVL^I ^Ij^j ^ 4^1,^1 J ^jj jjoj ^ill TCP ^j^^ ^ :[-p portnum] 

.139 > SMB / CIFS fiU TCP 

.0 ^^ua lUUJI 11a ^j^j ^ ^ lij jjaVI <ajS1I .10 J] 0 t> ^ debuglevel :[-d debuglevel] 

^0 c5 .^^^Jl 4 Ljulj) ^jc (log file) J> dliLft J Jjj^alalU Jj> * ^ ^3 ^ 4<>ua3l oi^ ^IflJjl .lie. 

- J c5 j 1 ^ ja 1 l9 ji^Jl . (serious warnings)*^ ^ j (critical errors) ^U^kVl ^ 

C5^^ CjUIaslSI (J CjLg jlat^Jl S jjt > ^-i 4 T Lft£ JjJ <j| Cilia 
,^Lxilj^)i3l jlA^j ^aSj laJ ; [-V] 

c kLiU 11a J cjLg jIslaII J-<iJii j .^1a3I <Jj£ ^ <jjHaxJI ^l^cVI J^ 3 ^ Jc ^ kLoil <smb config file>] 

^Jl jiaj) _ jja jj] ^LJ! Ia jSjj ^31 CjUi^kjl 4il^3 c -aL^a ji ^jc !>Liaa t^^klouJI printcap L ^ l!^ ^ vw ^LJI dLa jls^ 

.(compile)Jjj^^ (.> f^JI ^-^j^ c^-^^J^^^ ^i^VI ^\ ^j^j ^jj .cjU jixJI ^ smb.conf 

f% cr^^ ".progname" ^I^VI . (log/debug)5^^'/cJ^' ^ ^V^^ :[-l logdirectory] 

a (Ji*xl\ c> 1^' J^Ji cjUL ^2 (jl .(.. jJI 4og.smbd 4og.smbclient C5^) W^^j 

11a ^laijj ,(JU^jVI J 4^^jjoa>JI ^^jjoixJI ^joj! 6^1 l^J!>Lk L ^ J^4^^ ^ ^ ^-<<i>.>ij I [-A authfile] 
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usernane = <value> 
password = <value> 
Idomain = <value> 



.SMB j ^vim^ l fjJ J p ^u*a\ \ ^-Ja jJ ^ijq :[-U username [%password]] 

t^L J j^j^ll j& ^ill j c? jJat jjaVI JjW^ ^ .^^luixll SMB j j u^*^ n » n :[-W domain] 

^1 ja. J ikl^b J j^Jt Jja i uSl JjLuJ! v.^j -uli < NETBIOS ^ ^ * w .smb.conf ^I^VI 

.(<>. j^l SAM J^L J) SAM 

.(S^cLuaxll CjUL) j^VI Wialt CjjjUail j^U <sulk> ^jL : [-h] 

SHOWMOUNT 

^Ikj Jc; axj ^ (mounted) f&b*^ ^ J^ ^ jjuj .^Uaill Jc; s ja jLol\ a£ jliJI cj hK al l ^j^j Showmount 
^Ikj CjUjkx» J] Jjj^ajll Jc ^ jJL f jib t^illj RPC Mountd .showmount j*VI ^I^IujU < \u>>A \ cjULJI 
Jc J^aUj ( q : > h^ l Jc mountd .(filesystem mount request) cjliLlI ^Uaj 4i^3l cjUILj NFS £Ail*ll 
<L<ua3l c Luiaxlj AjjjaljiiaVl <^sl\ .crashing <aJU3l CjLg jLlaII hq^j /etc/rmtab * flLall \ gjW J jj^a^JI jll CjLg jLcaJI 

.NFS 4-*-^ O^iilalxJl Ai^>*-<J A£jJa3l Jc JjS (JA J-^VI ^VlulJ .(J) t auU^I (JjS ^ L^cla.jj Jill 

: JVl£ mountd <^ <ju^1\ 

#usr/lib/nfs/mountd [-v] [-r] 

: JVIS showmount ^^Jl 3^1*11 

#/usr/sbin/showmount [-ade] [hostname] 

: J^l* showmount j^VI 54 4a11a]| CjIjUSJI 
: [showmount — a]-l 

.a£jUUI djj akJt Jj Jj^j jll Sj^Vl Ai NFS J^ li* 

: [showmount -e]-2 



#showmount©-e©serverl.example.com 




E ort list fonr er - ! * e-^-^s. m^> ^ g ora i 
/mnt X 3 ^ . X e 3 . XOO . O 





: [showmount -d]-3 

client LS^(mounted) <iaij 1^1 ^Uijl jll ^1 Jaia a£jUl<JI cjI ^la <^la ^jia^xJ NFS J^ J^*^^ ^ 



#showmount©-d©serverl.example.com 




Di^recitoirzLe:^- on seir^^sirl. . example . com : 
/ home 
/ mnt 





.AjUa. jlia, JJi 4> JLusjVI jlaa, 4)jVi 4J) ^Ipli Jjja. j^Sf) lift Jasu ^ |J| :4Ja jzIa 

LINUX ENUMERATION TOOL: ENUM4LINUX 

https://labs.portcullis.co.uk : j^-a^ll 
. jj^jjjII 4_xJaj| tilli^j tU^LuJI ^ dLa jlstxJI ^l^xlj till ^xujjj jll sbVl Enum4Iinux 

RID Cycling (When RestrictAnonymous is set to 1 on Windows 2000) 

User Listing (When RestrictAnonymous is set to 0 on Windows 2000) ^ v^mX <^ta 

Listing of Group Membership Information j^iaxll Cj\c j^JI CjU jk* 
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Share Enumeration a£jUUI 

Detecting if host is in a Workgroup or a Domain o*aj± J lU^ y-i jA < L^aJ l <JU ^ c_LS£ll 

Identifying the remote Operating System ^ c> J^^ll (»Uaj ^j^j 

Password Policy Retrieval (using polenum) >JI cjUIS ^UjlJ 



Star-rinfi ntuiMliniiK vO.«, i t *i1tp://Lafci*_p&Tt^H lls^n . lOc/npp iication/Htui*] a nil*/ J ou feed Apr 2 14; 14 = 35 LEXM. 

Target infonatian 

Tar-tet ±22 _±ea .3 . £ 5 

RID ftunuv SOO 5 50,1000 XDSO 



Passwcmd - - ■ ' " 

Kmtfwi IK^-mn'T-^^ n rl™ j ni ---,!- r-nf or , giient , krbtgt, dmAin aAtiiti^, toot, b~ in . nnnf 

Eiiuiwrating rfo r k group/ Dam a ilfi on 192 . 16 & . 2 _ 55 

] Got douin/Horkgroup naa«: WORKGROUP 

GwIIIev iluulJi SI I 1 Tuc 192 , lOB , 2 . 55 

Domain flame: *DftKCEWKW 
Dociaz-n. 510: 5^0-O 

[ - ] Host is pare of a. horkgroup (not a da nn i n 
Se»ion Chech ari iy^ , it* . 2* . S5 

L— J Sen-ver 1*12 _ lbH _ 2" _ & 5 aIIoua ovia using ttnernnne pa s^-wand ■ ' 

Oben on 192 . 1&6 . 2 . 5 5 via KXD cy^lin^ -CHI&S: 500-3-50 h 10 G0-1Q50> 

[X] Am inwii^. that user "odninisLratur" exists 

[-1 Got SID: 5-1- 5-21-1*0167-13 Jl.-3L-i«3 -176301-72 sa-13 5-: 3 iIlI.i, u^mane ' ' p pa<i£j<ord " 
S-l-5-2±-l«^ljB7453i-.lL4a2476501 -725345 543- 5QO WZKSQLx Adrn In i t L r u L oj: (Local Dser] 

s-i- 5-21 i«oi67453i 1482476501 725345543 50L kr2K.5QL\ou<?st (Local oeerj 

S-L- 5-21 -1*01674531-1482*76501-725345 543-513 WZHSQlAHOIie CDOHflln <5rnupJ 

S-L- 5-21 -ia01G74531- I4B247G5Q1 - 73S345 543-1000 \ la Intern d l acr Ll&ciH- Uaer] 

^-l-i-21-lJSU!j6745il- I4d2476501-72S345&43-1LI01 W2KBQL \ HI SJ*_fL3H 11'ULLIS 4 Local User) 

5-1- 5-21-lS014i745 31 -148247^501- 72^345 543-1002 W2K5tjL \ lWAW_t J ObTlCL : lLlH i Local User) 

5-1- 5-21-13016745 Jl - 14824/ti501 - 72 >345 543-1004 W2K5UL \ nark (Local User! 

S-l- 5-21-1*010-4531 -1492*7G301-723345 54 1 3-1£W3 W2K50L\>loli (Lu^al 0™ ) 

S- L- 5-21-1*016745 31 -1482476501-725345 S43-1QOG W2K5QL\traa ic Clocal laer) 



LDAP ENUMERATION 4.5 



<j& <-<uii CjLg jla-G (J-<^J CjV jJj^)JI .4 alia all djV j£ jJj^)Jl (JjxjujJj t^^JjuJl ^jl j>» (jjj CjUUill JSj Sjblj JL^jVI (jJ^xul 

L_JC^U3l (Jjjia (jC dlLa jlx-<Jl ^IAsu ^^ic j^Ui c _^.jLk ^Aa^Luid ^1 li] .IgJSj ^aJJ ^jlt CjULnll ( . ila Uia. A^jJall JjI j-g 

c V^j cf^J j^j^)^^ 6 ^ cJIa ja LDAP .A^jjuoil ^j! ^ laJL o^LujI ^j£-<»jj a£jjoJI (jl jjj^>JI 

.^IAxjII AjLc; ^ ^U^klaiJl CjIj^VIj LDAP j^JJ t^A . JJ^ll ^j) j3 J jj^a jll 

Active Directory Jl JJ^I Jj^»jU {Lightweight Directory Access Protocol) (LDAP) Jj^j^jj^I ^l^^l ^jj 

& jbVI cjUjIoi* jLi ; c# Uaixi ji ^ JUi ^ JJJI . (other directory services)^ j^Vl JJ^JI CjU^k ^ J 

D^lcj „ jLaliluJ^yl! ^JjjaJl jlj^lj ^J^l ( - W ^ CAAaxI ^Uijalll (DNS) ^^<^VI ^L^. £A JaJJjIil <JjajLixi l^j| _A£jjaJl ^5 (JJfila ^^lj 

^ l-LS&ILj ^^^UIojVI ^ jIloj ,3J jd^A Aijjlaj LDAP o° f^j^Vl ^ .3JjUJI ^j^Vl CjV j£ jj jjJI j 389 ^iJI lUs 

a^I g aII (Jj3 (j>» 1 g *\ I^JLujI (j^J (^5^^J 6 ^^)^J L — J ^^^l ^^J^l tdiljbVI (Jj > ^al 9Jj (jjjUcj ^LqA^LulaII ^UujjI (JIa i . M . ^ djLd jls«-<» 



LDAP ENUMERATION TOOL: SOFTERRA LDAP ADMINISTRATOR 



http://www.ldapadministrator.com : j^-a^ll 
'Active Directory LDAP ^ ^ ^ ^ ] LDAP sj^y sl^i Softerra LDAP Administrator 

a* cjU jlx^l ^ j^uaa^M ^Llill J^l j^j^ ^ .1^ j * Netscape/iPlanet * Novell Directory Services 

^cll ^a^JI <jjjjac Sjtal 6 (bulk update operation)^^^ cLu^all CjUI^c. tcy^l ^ ^-^fil ^h^^I j^j^ 

.SQL fl^L-U LDAP ^VU^I s jbb ^ill j ^LDAP-SQL - 
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LDAP ENUMERATION TOOLS 



Jjhll cjU^k t> jl Active Directory 6^ J^' ^ <J\ J j& l^l^l^l LDAP ^ j^VI <> ^aJI c*]Ua 

LDAP ^ > i> ^ 



:^UJI jaJJI LDAP ^ (> JJS ^ ^ ^ 

JXplorer available at http://www.jxplorer.org 

LDAP Admin Tool available at http ://www.ldapsoft.com 

LDAP Account Manager available at http://www.ldap-account-manager.org 

LEX - The LDAP Explorer available at http ://www.ldapexplorer.com 

LDAP Admin available at http://www.ldapadmin.org 

Active Directory Explorer available at http ://technet.microsoft.com 

LDAP Administration Tool available at http://sourceforge.net 

LDAP Search available at http://securityxploded.com 

Active Directory Domain Services Management Pack available at http ://www.microsoft.com 

LDAP Browser/Editor available at http ://www.novell.com 



NTP ENUMERATION 4.6 



.NTP i> J U^Iaxj 
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Jj^jjjjj jNetwork Time Protocol J jU^I > NTP . NTP j* ^ Vji Ujc j 4 NTP^ ^ ^ 
^a^klaaj . (Directory Services)*-!^-^ djLd^k ^Ia^LujI aIc NTP .^yMU <l^al<JI jj jn^ll <cLuJI ^LLgI^oJ ^>^a 

AliA (a^Ij 100/1) 10 uj jJa ^ ^j 31 <^ NTP . JU^j^U ajjoujj aLjuj j£ UDP 123 



l vyvy# x y — 1 ^ L> V ^ ^ ^ - - - - 

^tkdl *UJ tip o^j^ 'NTP U^lJI (List of hosts) uA^ti ^1 ^ <^ A\<\«\ <NTP ^> 

IP <-5 j>^ti o^-^ t> uj^ (J clA^ ^4* <DMZ (j;* NTP ^ 



NTP ENUMERATION COMMANDS 

NTP stinks .(NTP suite command-line tool) NTP >JjVl ^1 ^l^iuL Uiiii NTP ^ 
i^Vl^NTP 1j jJjVl j^oi CjIj^I ^ r Jxulj .NTP i> <jj1^31 cjU jkJI ^ Jj.^tt NTP <> 

ntptrace 
ntpdc 
ntpq 

NTPTRACE 

^\ j± 4_LaiLuj <auli<J ntpq s^c^aII sbVl ^ i^iLujj c^iJI u^jJu ^'\^ cJ^^-^l ^Uail Jj^ ^ **— ^j^ 3 ja Ntptrace 

^LLualt 

#ntptrace [-vdn] [-r retries] [-t timeout] [servername/IPaddress] 



a : — # nt pt race 








localhost : stratum 3 f offset Q . Q 


GGGGG, synch distance C 


3 .114775 




41.231.7.85: timed out, nothing 


received 






***RGqusst timed out 








ot@ j ana : ~# | 









NTPDC 

.l^jlLa. ^ ^^jj ij^^ U^aj o& ntpd NTP daemon til^Luj j^VI 11a 

4^UJ! 4jL^a]| 

#ntpdc [-ilnps] [-c command] [hostname/IPaddress] 



: ntpdc 












ntpdo ? 












ntpdc commands: 












addpsGr cont rolksy 


fudge 


keyt ype 


quit 




timeout 


add ref clock ctlstats 


help 


listpee rs 


readkeys 




time rstats 


iaddserver debug 


host 


loopinf o 


request k> 




t raps 


addt rap delay 


host names 


memst at s 


reset 




t rust edkey 


authinfo del restrict 


if reload 


monlist 


reslist 




unconf ig 


broadcast disable 


if stats 


passwd 


rest rict 




un rest rict 


clkbug dmpeers 


iost at s 


pee rs 


showpee r 




unt rust edkey 


clockstat enable 


ke rninf o 


p reset 


sysinf o 




ve rsion 


cl rt rap exit 


keyid 


pstats 


sysstats 






ntpdo monlist 












remote address 


port local address 


count m ver 


rst r 


avgint Istint 


ns2 . atlax .com 


123 192. 16S. 


1 . 1Q6 


22 4 4 


IdQ 


42 1 


a . ntp . ru . ac . za 


123 192. 16S. 


1 . 106 


21 4 4 


IdO 


44 12 


ns3 . atlax . com 


123 192. 16S. 


1 . 1Q6 


20 4 4 


IdQ 


46 17 


ops2 .neology .co .za 


123 192. 16S. 


1 . 1Q6 


21 4 4 


Id© 


44 38 


ntpdo I 













https://www.facebook.com/tibea2004 



NTPQ 

,*bVl ^j^i j ntpd j NTP daemon cjLLc 4-&\j* tiA 

:^t£ 4jL^aJ) 

#ntpq [-inp] [-c command] [host/IPaddress] 



root@jana :~# ntpq 

ntpq> ? 

ntpq commands: 

:config delay mreadvar readlist 

addvars exit mrl readvar 

associations help m rv r~L 

authenticate host ntpversion rmvars 

cl hostnames opee rs rv 

clea rva rs keyid passoc iat ions saveconfig 

clocklist keytype passwd showva rs 

clockvar i assoc iat ions peers timeout 

config-f rom-file "topee rs poll version 

cooked Ipassociat ions pstatus writelist 

cv Ipeers quit writevar 

debug m readlist raw 

ntpq> version 

ntpq 4 .2 .6p5@l .2349-o Sat May 12 ©9:07:2© UTC 2012 (1) 
ntpq> host 

current host is localhost 
ntpq> readlist 

assoc id=0 status=061S leap_none, sync_ntp, 1 event, no_sys_peer, 
version="ntpd 4 . 2 . 6p5@l . 2349 -o Sat May 12 ©9 :©7 : 18 UTC 2Q12 (1)", 
p rocesso r="±686 " , system="Linux/3 . 7 - 1 runk -686 -pae " , leap=©G, stratum=3, 
p recision=- 19 , rootdelay=31 1 . 41© , root disp=3S4 . 484 , ref id=41 . 73 . 4© . 9 , 
reftime=d6f f7423 . 14a2df8f Mon, Apr 21 2©14 12 : 4© : 35 . ©8© , 

clock=d6f f755c . f ldbf©el Mon, Apr 21 2Q14 12:45:48.944, peer=15856, tc=6, 
mintc=3, of f set =3 . 388 , f requency=24 . ©63 , sys_j it t e r=l 1 . ©21 , 
clk_j itte r=3© . 244 , clk_wande r=Q .915 
ntpq> I 



SMPT ENUMERATION 4.7 



.SMTP l$\ 'SMTP j^v^.n^U a\^\\ cjIj CjU jkJI ^jV^l 

JLaijj aAac jlii^l ^1 cjI jjVl j SMTP <^J^al> (j^^klouJI <Ajla J ja^JI ^ li* uj%^ 

.SMTP ^ c> jj^V 1 AL^I 

^ . built-in SMTP command j*l ji JjS <> 11a jUJ] .SMTP ^ ^ o ^Viu^ l ^ £^ SMTP ^ 

3U j*VI liA f\mJ VRFY 
W^l ^\ JA\ j (alias name) * jUi^J! *W>U ^ixill f aLoull jl>u ^ j*Vl li* EXPN 

a2L* J\ > RCPT TO 

j (valid user) jJL-ll J^l <> RCPT j 'EXPN 'VRFY j*\ jbU cJJil* c T ±™ SMTP ^1 > 

^IL^all ^j^^kjjoixJI ^j^j <U j^-^ ^^>^ SMTP aJLoai J^Lk (j-o t^UlUj . (invalid user)^-^ 

: JUll telnet j-VI <> SMTP ^ t* lUIj^ U^i ^1^*11 .SMTP ^ ^(valid user) 



Using the SMTP VRFV Camr 



Using the SMTP EXPN Command 



Using the SMTP RCPT TO Command 



S telnet 192 .1*8. 168.1 23 
Trying 192 . 16B .168 .1 . . . 
CcmD6Ct£d to ISa. 168. 168.1. 
Escape chncflctcr is ■ 

BB.T. O 

501 HELD i^iquircis doaarci addrase 

13ELO X 
230 NYtaaLlsexver Hello | 10 . D . 8.B6], 
pleae-ed to meet you 
VRTT Jonathan 
250 Sliper-Uscr 
< Jona ehan^KYouLilMev«r> 
330 SBith. . . tfser unknown 



$ telnet 192 . 16H . 3_6@ , 1 25 
Tiymg 1 92 j 16 9 . 1 o ™ . 1 - - . 
CojLneGted to 193 . 3_fiS. 168 .1 . 
Escoipe charnctjcr i_s ' A ] ' , 
220 NlinaLlKrrer E SKTE Scndneiil 
HEL0 

501 EEELO requires domain address 



250 NYnallserver BJello [10.0. D.B6], 
pleased to meet you 

EXPN Jonathan. 

250 Super rjser 

< Jona thiiny WEmai 1 corvc r > 

ESS Snith 

3M Smith,,. Ose-r unknown 



$ teinet , 168 « 1 23 

Trying 132,169-165,1 
Connected to 1*2 . 168 . l6fl . 1 . 



Escape character la 



220 llteilllirrar ESMTP Seadaail 8.9.3 
heuoj 

501 EEL0 rerjires doaarn Quires □ 
HEUD £ 

250 Ffc^Lloer^r Eclio [ID-O.O.B&I, 

HAIL FPJjM ; Jonathan 

2 50 Jonathan... Sender alt 

RCPT TO: Ryder 
250 Rydei:« . , Recipient ok 
RCPT TO; SiBitH 
330 Smith. . . Oser unknown 
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SMTP ENUMERATION TOOL: NETSCANTOOLS PRO 

http://www.netscantools.com 

e iA J^U t> <^jj£iyi Au* 11 yL -J J^jj ^ jW^W ^ NetScanTools Pro's SMTP Email Generator tool 
^ *j .confirm/urgent flags ^ y?* ^ yHJJ^V^ Al>^' ^ut> ^j^ 1 j^U <^ *j .SMTP 



NetScanTools diVU^Vl ^ <jia^>3u ^ill j J-> uJl c qU s^LIaj ^ j£i J-> c ^ jji&3Vl ^^Ji ^ J Jj> > >n 

. SMTPjOLkj 

^U. ^ J^aljjll J!>U. ^> (relay test) <yt" jW^ 1 ^ NetScanTools Pro's Email Relay Testing Tool 

.»-iJ*li SMTP^j NetScanTools ^VL^2VI J=JI .SMTP 



F 



1345803S51 NetScanTools^ 1 Pro Demo Version Build fi -17 -12 based on version 11.19 



ile Edit Acteitibilrty View IPv6 Help 



Wen come 



Automated Tools. 



MmhiiI roots <#ii| 



Tiji RPC into 



O 

Service lookup 



Simple Sffvirgi 



SMTP Server Tests 



SNMP . Core 

Favorite TOOU 



Art we Discovery Toote 



Pa«nte D«*co*ef> Tools 



ONS Tools 



Picket Level tools 



External Tools 



Program Info 



Manual Tool* - SMTP Server Tests 



Use this too* to send test SMTP rnessagjts 
and to thedt servers for enwi rela ynvj. 



SMTP mail server rvane (server .dQfnam.com 
or IP address - r toured) 

sm tp . ywrlX^mfSianieCoe^e^e.com 

Send Test Message 

Stop Sendng Test Messcvgr 



AoVJNote 
Xnp To Autona ted 



| Ao^ to Favorites 



Fmal Pie la y TestFTg 

four SerH*ng Dome" Mame 



Test Message Settings 
Global Test Se Tongs 



yOuTCorihajni ,c 



HELOlogt 


i ID 


r- 1 1 


SMTP Port Network Timeout {sec} 


r» 




15 


- 

HP 





¥ie*v SMTP Log Fife 



Detete SMTP File 



Start SMTP Relay Test 

Stop Relay Test 

View Relay Test Resits 

C'Vtew Resdts as Text 

i*) Verv Resits in Web Browser 



Tests to rin 


Ri 


010 


^ : 


0U 




^ :: 


04 


0L3 


^ E 


Hm 


06 


015 


07 


0l£ 


V = 


017 


fads 




ObarM Tests 




Set ill Tests 



For Help, press FI 



DNS ENUMERATION 4.8 



Uj cSMTP 'NTP 'LDAP *o"*V / o4k» 'SNMP 'NETBIOS V^j '^1' fj*U* ^ «l)VI 

.(DNS record) DNS g) Vl^kl^l J^ 1 J (DNS Zone transfer) DNS l& ^> ^ Ul^j 
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DNS ZONE TRANSFER ENUMERATION USING NSLOOKUP 



J5Lk aa ^umW A aW^aW cj^Uuoj j DNS ^j^jI (DNS Zone Transfer Enumeration) DNS l& iaL ^l^JI 
Ujxjt DNSstuff'NSLOOKUP JS* ^> jp! fl^i^l <DNS <^ l& ^ .U^u^JI cJ»UVl c> IP o^jU^ j 

p ja. Jjoj jj DNS ^SLq ls^j DNS ^ ^ 'DNS Jfc ?l j^V 

.DNS ^aia J ja. CjU jlx-oJl ^ J^31 <^C> Ailaialt jlaJ .till 4lkia£ <jUUj o^clS 

:NSLOOKUP ^ mA* DNS l& aJUII Sjj^I j^j 



Command Prompt 



C : \>ns lockup 

D* fKV.lt S*rr*r : nil ,*x«Rpl«,com 
A4d»H: 10 219 .100.1 

> server 192.168.234.110 

D* f aul fc 5*77*7 : corp-de . m stamp 1 • 2 , org 
Address: 192.163.234.110 

> Is -d exaraple2.org 
rri&2. lea. 234. lion 

ex ample 2 . org . SCA. corp-dc . example^ . org admin . 

exa.^le2.arg. A 192 . 168 . 234. 110 

*v ample 2 . org . NE ^srp-dc _ exampl*2 . org 

_gc . _tcp SKV priori ty= 0 F weig.it =1 0 0 , por t=32 C 8 , carp - dc . exi'npie 2 . org 
_]ce rtero s . _z cp £3RV prxori ty=0 r weight =100 , per t=&a , corp-012 . ^ximpleZ _ org 
kpusNd. te;p SEV pciorl ty=0 r w*±qhb=100 r pc?ft=464, ooEp-dc . cxunp 1*2 . org 



i 

! 



ENUMERATION COUNTERMEASURE JlJ«3M ^ CAM* 4.9 



.^Lk^ jloJIj s jjt » alt jJJIj tLDAP 'SMTP 'DNS 'SNMP c> ^ m j^ 5 ^ ^ J^J^ 



:(SNMP ENUMERATION COUNTERMEASURE S) SNMP SjU^II M \m 

.ciL o^UJI e U^I SNMP ^ 0^ ^iiy jt SNMP Agent ^ j) -1 
.^1 jjaVI "public Community name" 4^ m^j ^ 'U 1 ^ SNMP CP* -2 

.JjLoj J\j cjUK jjgunj jl^-flVI liA cLja ^SNMP3 c^j cr^^ SNMP cjIjI^I cjj^ 



." Additional restrictions for anonymous connections" ^5-^ cr^^J (grouped policy) 4c j < v>^ 1 cr^^^ J^^^ 

.IPSEC SjSlaj 'null session share 'null session pipes cb^j^ ^ 

.TCP / UDP 161 iilUI J) J^-jJI £^ 

.IPSEC ^t-^nilj ASjli^^l ji jjLuSjII 
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:(DNS ENUMERATION COUNTERMEASURES) DNS 4*21 SjUmII M [til\ 



.^Jc ^UucVI ^ u^'^ A ls^\ DNS Aikia JSj ^-Aatj ^Uall ^-LuJI ^Asu (name server) dLaaL 4il£ ^l^cl -1 

l^Jj ^jll ^ V cjULJI ^ J IP u' i> 'DNS ^ DNS CjUIJ 4^tiVI ^> ^$^1 -2 

-LS jii J HINFO t> (jj^i V DNS ^iL J i> ^ -3 

.Ajjj^jJall JJC. dlLa jIslxJI (jC ( fljuj£3l ^1<J DNS %£jalall CjliLa ^xllaj ~5 



:(SMTP ENUMERATION COUNTERMEASURES) SMTP SjUmII j^I 

SMPT ^ JlJfrW 

.u^j^*^ j^*-^ (jjdVnurtti jj ^jjj^jyi ^o^t cJ^^j ci^W^ -l 

CjI ^'qU jl^cl Jjs (j-G <jjfl j^>»-^ j^*J^ ^ixJlauJl JJ ^^>J1 <JjLujj ci^W^ -Ls j cJ^-^j ^3 cJ^-j^ lI^*^ -3 

SMTP 



:(LDAP ENUMERATION COUNTERMEASURES) LDAP Atftt SjU^II 
.JaSa 4i jjxJI ^^kl^J! J^jl! Aiia (Basic Authentication) 4^L-Vl ^L^JI j! NTLM -1 

, jj^Jl J^juLil SSL aIa^Luj) J > *aflJ cillil '.ojLIa jjiC. LDAP JJ^>*^ ^^P" '^J^alj2al -2 



:(SMB ENUMERATION COUNTERMEASURES) SMB jhWM 



t AjLiLul l ialiJlj cjULJI JJ tSljiUI J^jll j^jj JJ cJi^i ^ Server Message Block (SMB) Jj£jhjj^ 

(j-G J UJ^ ^ 4j^aLaJI 4£jJo3I Jc 4^»^kJl oi^ (Jjit-JjJ ^aJ lij ,4£jJa3l Jc distil ^jJJ CliVU^ajVlj tCjlsuLkllj 

,^IAxj3I ^ixJ tUjjjjJa ^jSj (j\ 4_ll!asu cililc t ^ w s ;tdlil J^ J J 1 ga^JI 

:SMB ^J^t JaiJl 
.Etherent Proprieties JJ -1 
j Client for Microsoft Networks ^AiiJ J^ ^ -2 
.File and Printer Sharing for Microsoft Networks 

.CIiijjj]! ^UlIJ (Jj3 jiij -3 




Connect using: 

Broadcom Net Link (TM) Gigabit 



This connection us«9 the following itemi 
■■■PIP 



. ^Qq5 Packet Scheduler 
| ^ ^File and Printer Sharing for MicrsEj: '^tvvorks] 



IT 



_ Mkrrosaft Network Adapter hUbpJexor Protocol 
Z ^- Microsoft LLDP Protocol Dnver 
^ -i- Link-I_a> , er Topology Discovery F^apoer I/O Driver 

- ij Link-Layer Topology Discovery Respc-rder 
C > 



, es :.-r-:c-i 

.illo^-s your computer to access reso-jnces or 3 Hic-Toscrft 



Cancel 
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ENUMERATION PEN TESTING 4.10 



till} ^I^JjujI (jC JJC. (jl^ lit CjUJaixJl (jC <jujL naJl dlLa jLlxJI J ^a jll ^.l^Jl <jti Ol,Ax!i3l A-AaO (j-G 

lia *L<Jala <j^t jUl^t .^-g-^t jW-*^ 4 a)\\a (JS (^ic ( . la>ja tdLa^Jt (j-a ^1 £>i& t . llajJ 6 til .<Jjj-<u3t jt 6<La,lkjt j tdlLi jlsLxJt L_ Li^ 

t^l^^JjauJl CjULud^. <Jia 4_jujLud^Jl dlLa jlx-<Jt ^a^J ^IAxjII CjLjJflJ ji\ £Ja-\ ^^Jc (jllVll . t.lia. 4-1 -Lala^Jt ^a J>(^t AAijj] (Jja^ j a\\ 



.1 \\\\ £ 



Find the network range jUaj diaalt -l 



^ START 




t 

V 




W V 


Use tools such as 
Who Is Lookup 


V 




l li 
Calcuiate the 

subnet mask 


1 II 

Use Subnet Mask 
Calculators 


V 




Undergo host 
discovery 


Use tools such as Nmap 
■""> (nmap - bP <• net work- 
range>) 


V 




Perform port 
scanning 


Use tools such as Nmap 
- > (nrnap s5<network- 
rartge>) 








>5p 



Calculate the subnet mask ^Lua -2 



J!^ cjIj^I ^al^ki^U ip jUaA ^j^UI (subnet mask) ^ jill 
a£±^I ^Ua ^l^ki^l td&Aj .Subnet Mask Calculator 
(ping swap) > ^1 l_j ^11 4_jc^)i3l 

L_flLau£l (j a > laiL ^ill j o!axj3! (j-<i (j^>^^ djl j^l j 

Undergo host discovery uL^aJI LiLiuSV ^>iaaJt -3 

<L*alaIl ^\ Nmap ^ <L^JI ^Uj .Nmap ^ j^' duji^yi a^jj^j <L^1q a^Ia ^aI ja. ^^ic jj^l 

jUaj i (network-range)^^' 3^ ^ .( nmap -sP <network-range>):^ ^ ^jj^V^ 

Perform port scanning ialiAi) o^aai ^ (j^l -4 



https://www.facebook.com/tibea2004 



287 



V 

Perform DNS 
enumeration 



1 1 

Perform NetBIOS 






enumeration 






y 




Perform SNMP 






enumeration 







Perform Unix/Linux 
enumeration 



2B 

Use Windows utility 

NSLookup 



Use tools such as 
► Sup erSc an , H ye na a nd 
Winfinge? rprint 

use tools such as Oputils 
> and Sola rWinds IP 
Network Browser 



Use tools >uth ab 

Enum4linux 



DNS *tj*l -5 

ja jj .l^jiUuoj j DNS ^b^L AilS <*i ^j^i3 DNS ^ 
^jjjUc j ^j^^jjouJI ^LuujI t^Uail! ^LgjojI JiLd djLd jLlaII DNS ^ j^- 
^ o^cLoiaj cjL» jlx-<JI 5il£ ^-l^kjjujl iilj£ <lj .c*lb Ldj tjp 

NSLOOKUP sIjVi 

NETBIOS *L*! -6 
j j TCP/IP jjc ^ill s aj^j] NETBIOS ^ ^ 

. jjoJI djUJ£ j LljLajUjaJI j t^jjqj^^l Jc Aj^jill dil^jbSuJI 
'Superscan c^lj^Vl c> ^U^j NETBIOS ^ ^ 

.WinFingerprintj 'Hyena 



SNMP ^^5» f -7 
J SNMP ^ t> fSUiutfl c> SNMP ^ *bt 

Solarwinds IP Network Browser j OpUtils Jb ^ fl^bL SNMP ^ 1*2 .s j^Vl j 

rpcinfo 'Finger 'Showmount j*ljVl ^l^i^l .Enum41inux ^l^i^U / uAhj^ 

-L> Ajjj ijy* jIaxj] t*Ui j .cjI jjVi c> U jjc. jrpcclient j <(RPC) 



Perform LDAP 
enumeration 



Use tools such as Solterra 
LDAP Administrator 



Perform IMTP 
enumeration 



T~L — II 

Use commands such as 
rup trace, ntpdc f and ntpq 



LDAP *\*31\ p L*J -9 
JjjL .LDAP 3-*^ puiujVI AiajujI jj LDAP 

Jjj^aljjj ^Jb^all - iklud^ll ^Ia*J iilj£ aJ LDAP (jC ^UluiVI 

^bViuL LDAP iiili c^IjLqj .CjUl^JI t5j*J j ^ct^VI 

Softerra LDAP jp- 

NTP Jl^3« f t*j -10 
'NTP J^l < bjJa^ll Jio cjU jkJI ^1 j^-V NTP pbl 

.ntpqj 'ntpdc 'ntptrace j^ljVl c> cjUjIxJI ^ J^ 

SMTP ^1^1 ^tj^!-ll 

*J .SMTP Jc ^JL^JI ^^klalJl ^J^j] SMTP ^1^*2 iiijJ 

^ SMTP ^ u t> ^^Ui^^U NetScanTools pro e 1 ^ 1 ^ 1 

(jib ^Jlilt S^jJ) US ^jll J) JUjj <-i^ ^Vt . enumeration j scanningj Footprinting 

(01009943027) ^Ja .j 
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